The Court of Appeal has held an employer liable for a deliberate data breach by an employee whose motivation for committing the breach was to cause harm to the employer.

The fact that employers cannot be held vicariously liable for statutory breaches of the Data Protection Act was confirmed, however, this did not prevent the finding of vicarious liability for tortious or iniquitous acts by the employee (such as the misuse of personal data or breach of confidence). In this case, the employer's liability was upheld despite the fact that they were not at fault under data protection or privacy law (WM Morrison Supermarkets plc v Various Claimants).

Background law 

In common law, employers can be held vicariously liable for their employees' tortious or iniquitous acts, where such acts fall into the field of activities to which the employee had been entrusted and there is sufficient connection between the position of employment and the wrongful conduct to make it right for the employer to be held liable under the principle of social justice. Vicarious liability can also be found for breaches of statutory duty unless the statute in question expressly or impliedly indicates otherwise.

Facts 

Mr Skelton was a senior IT internal auditor at the Respondent, who developed a grudge against his employer after receiving a disciplinary warning in July 2013. During an annual external audit of the Respondent in November 2013, Mr Skelton was given access to payroll data in order to pass such data on to the Respondent's auditors, KPMG. Mr Skelton downloaded the data onto his laptop, and, some days later, copied the data onto a personal USB. 

In January 2014, Mr Skelton posted a file containing personal details of 99,998 of the Respondent's employees onto a file sharing website. Mr Skelton used the initials and date of birth of another employee in a deliberate attempt to frame him.  In March 2014, just before the Respondent was due to announce its annual financial reports. Mr Skelton anonymously sent a CD containing the data to three UK newspapers, including a newspaper local to the Respondent's head office. The covering letter claimed that the sender was a concerned third party, who had discovered the payroll data on the web, and included a link to the file sharing site. 

Following his arrest in March 2014, Mr Skelton was convicted to eight years' imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

The data leak had serious implications for the Respondent's share value, and there were concerns that the information exposed the employees whose data had been leaked to the risk of fraud and compromised privacy. 

In this case, 5,518 employees brought proceedings against the Respondent for damages and interest in respect of claims of private information, breach of confidence and a breach of statutory duty. The Claimants claimed that the Respondent was primarily liable for Mr Skelton's actions.  In the alternative, they were vicariously liable.

High Court decision 

Following directions for a split trial on liability and damages, the trial in respect of liability was initially heard in the High Court, where the following was held: 

The DPA and common law claims 

The argument that the DPA excludes the tort of misuse of private information and equitable claims for breach of confidence was dismissed. Such strands of the law should not be considered mutually exclusive, but rather could act in compliment to each other. 

Primary liability

The Respondent was not held to be primarily liable on any of the grounds claimed on the following basis: 

• The Respondent was not the data controller of the leaked data at the time of the breach of the DPA, and, therefore, did not owe a duties to the Claimants in respect of the Data Protection Principles requiring data to be adequate, relevant and not excessive, processed fairly and lawfully, obtained for specified and lawful purposes, and not kept for longer than necessary. 
• The Respondent may have acted inadequately in respect of Data Protection Principle 7, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data, and against accidental loss, damage to or destruction of personal data. However, this did not directly cause the disclosure of personal data.
• The claims against the Respondent in equity and common law for primary liability for breach of confidence and misuse of personal data were dismissed on the basis that the Respondent had not directly misused, authorised or carelessly permitted the misuse of the data. 

Vicarious liability 

It was held that the DPA did not exclude the possibility of vicariously liability, and vicarious liability should be found where there was sufficient connection between the employer and the wrongful conduct. Such connection was found in this case and, therefore, the Respondent was held to be vicariously liable for Mr Skelton's actions. 

Court of Appeal Decision 

The Respondent was give permission to appeal and did so on the basis that the DPA excludes the application of vicarious liability and the application of causes of action for tortious misuse of private information and unequitable breach of confidence (whether primary or vicarious liability is claimed). The Respondent also appealed on the grounds that it was incorrect to conclude that the wrongful acts of Mr Skelton had occurred during his employment with the Respondent, and, therefore, it was factually incorrect to hold the Respondent vicariously liable for such acts. 

The DPA, vicarious liability and common law claims  

Vicarious liability can be found for breaches of statutory duty unless the statute in question expressly or impliedly indicates otherwise. The DPA was held to indicate the exclusion of vicariously liability for breaches of the act, by instead imposing a liability on employers to take reasonable steps to ensure the reliability of employees who may be acting as data controllers. Such vicariously liability in respect of statutory breaches of the DPA was not, however, claimed against the Respondent in this case. 

In respect of whether the DPA prevented vicariously liability to be found at common law for misuse of private information or in equity for breach of confidence (both of which were pleaded in this case), the Court considered whether it was correct to consider the DPA specialist legalisation which Parliament had intended to cover the entire field of employer liability for the wrongful processing of personal data. The Court upheld the finding of the High Court that the DPA did not exclude potential liability of the employer for the misuse of private information and breach of confidence by an employee, so long as the other requirements of the common law and equitable claims were also found. 

Should the Respondent be held vicariously liable for Mr Skeleton's inequitable and tortious actions in this case?

The Respondent was held to be vicariously liable for Mr Skelton, on the following basis:

• The Respondent had deliberately trusted Mr Skeleton with the payroll data.
• Mr Skelton's job included disclosing the data to a third party (namely KPMG) and, therefore, his subsequent disclosure of the data online was closely related to his job, notwithstanding that it was unauthorised.
• The fact that Mr Skelton's tortious acts took place at home, on his own computer and on a Sunday several weeks after he had been given access to the data in a work capacity did not prevent the close connection test from being satisfied. Whilst the time and place of the acts would be considered, they were only one factor in the finding of a connection.  More important was the nature of the relationship between the employment and the tortious acts.  In this case the Court found an unbroken chain between the events despite their temporal and locational disconnect.    

Finally, the Court considered the argument that Mr Skeleton's motive was to harm the Respondent and that finding the Respondent vicariously liable for his acts would, therefore, render the Court an accessory in furthering Mr Skelton's criminal aims. Whilst the Court noted the potential for vicarious liability to render such situations "potentially ruinous" for employers, it held that motive was, and had always been, irrelevant in considering whether vicarious liability should be found.  The intention of the employee to cause financial or reputational damage to their employer was no exception to this. 

Comment 

This case is a salutary tale for employers who may be held liable for employee's actions even where those actions were deliberately motivated by a desire to cause financial or reputational damage to them.  Given the potential for large scale liability to be incurred, employers should heed the Court's advice to insure against losses caused by malicious or dishonest employees. As one of the first successful group actions by thousands of victims of a data breach, this case could open the door to further claims of a similar nature.  Employers would be well-advised to review their insurance and ensure that they are adequately protected. 

Whilst the case offers some relief by confirming that employers cannot be vicariously liable for their employee's breaches of the DPA, it does remind employers of the requirement under the DPA for them to take reasonable steps to ensure the reliability of employees who may be acting as data controllers.

WM Morrison Supermarkets plc v Various Claimants

This article was drafted by Carmen Harland, Trainee Solicitor.