A long-awaited Supreme Court judgment has been handed down this morning in WM Morrison Supermarkets plc v Various Claimants. This is the first group data breach action to come before the courts and will play a significant part in shaping future employment law.
The court heard how a senior employee, Mr. Skelton, who had access to employee data in order to undertake his role within the firm, had deliberately and maliciously leaked employee data online. Earlier rulings in the high court and appeal court had ruled Morrisons was vicariously liable for Mr. Skelton’s actions.
The Supreme Court has unanimously granted Morrisons’ appeal, having determined that the Morrisons was not vicariously liable for the actions of Mr Skelton and therefore could not be held liable to pay damages to the over 9,000 current and former employees claiming against it.
The Supreme Court has provided the a summary of the its judgment, which can be found here.
Mark Thomas, an employment and information law barrister at 5 Essex Court, comments:
“Morrisons will be breathing an enormous sigh of relief. The Court of Appeal determined that, despite being at no direct fault and acting appropriately at all times, Morrisons was liable for the actions of a rogue employee with a vendetta against the firm. The Supreme Court have reversed that decision, restoring normality to the previously established position on vicarious liability”.
“Morrisons has been saved by the Supreme Court’s recognition that ‘it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.’ In those circumstances, the Court held that ‘Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.’”
“Had Morrisons been unsuccessful, it could have been hit by a huge damages bill – even a small award granted on 9,000 occasions could have made a serious dent in the supermarket’s margins.”
“This case also has wider implications for employers through the country. It means that, if they adopt conscientious and careful data control and protection measures, then they can be relatively sure that they are protected against the legal consequences of vindictive data breaches. That will be a huge relief for data controllers and processors who are coming to terms with the onerous data protection landscape following the introduction of GDPR”.
“However, to be clear, whilst they may be protected against vindictive data breaches, companies and individuals that control and process data may still find themselves liable for inadvertent data breaches. The consequences of any such breaches can be financially and reputationally devastating.”
Aaron Moss, an information law barrister at 5 Essex Court, comments:
“Although Morrisons was not liable on these facts, other companies could be held liable for their employee’s data breaches in the future.
“The fact that the Data Protection Act holds individual employees liable for data breaches does not mean that their employer could not also be vicariously liable.
“Companies can be held responsible for the data protection breaches of their employees act unlawfully in the ordinary course of employment.
“Organisations whose employees process personal data – which is almost every private company and public authority – must make sure they have processes in place to mitigate the risk of data breaches by their employees. Otherwise they could be held responsible for any breaches, alongside their employees. A prudent claimant will almost always go after the employer not the employee – it is the employer who has deeper pockets.”