Insurers will be breathing a collective sigh of relief following the Supreme Court ruling handed down on 1 April 2020 in the case of Wm Morrisons v Various Claimants.
Employers and their insurers had seen their potential liability expand with the previous decisions regarding vicarious liability. But the Supreme Court has now ruled that the circumstances in which the wrongdoer in this case committed its acts against the claimants were not such as to result in the imposition of vicarious liability on Morrisons which could not be held liable for its former employee’s actions.
By way of reminder, the High Court judgment in this case - described at the time as a “landmark ruling” –left organisations (and their insurers) potentially more exposed in the event of a rogue employee deliberately leaking data in breach of applicable legislation.
In January 2014, Andrew Skelton, a former internal auditor for Morrisons leaked payroll data which included National Insurance numbers, dates of birth, addresses, bank account details and salaries of almost 100,000 Morrisons' employees. The data leaked was posted online and sent to various newspapers and websites.
When Morrisons was notified about the data breach, the company acted quickly and the leaked information was taken down within 24 hours.
During his 2015 criminal trial, the court heard that Andrew Skelton's actions stemmed from a grudge he held against Morrisons after he received a warning for using the company's post room to sell items on eBay. Andrew Skelton was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data. He was jailed for eight years.
Over 5,000 current and former Morrisons employees then brought a civil claim against the company, claiming that the data leak exposed them to potential identity theft and other financial loss, and sought compensation for the distress and loss caused.
Morrisons denied liability, arguing that the company was not liable either directly or indirectly for Andrew Skelton’s criminal misuse of the data and that it had already suffered serious damage as it incurred £2m costs as a result of the data breach.
There were two key questions before the court: (i) was Morrisons directly liable for the breach under the Data Protection Act 1988 or at common law; and (ii) should Morrisons be vicariously liable for the actions of its ex-employee?
At first instance, Langstaff J found that Morrisons had no primary liability in respect of the leak and had not breached DPA Principles 1-6. When Skelton leaked the data without authorisation, he became a separate Data Controller for the purposes of the DPA.
However, as regards vicarious liability, the High Court found Morrisons liable. The court confirmed the rule that the principle of vicarious liability is potentially applicable where an employee commits a breach of statutory duty, even where that duty rests on the employee alone. It found that, on the facts, that the disclosure of the data was sufficiently connected to Skelton’s employment. The issue, it held, was therefore not whether Morrisons acted wrongly, but whether when Skelton did so, his acts were closely connected with his employment. Although Morrisons was the main target of Skelton’s actions, it held that it was just that it should be vicariously liable for wrongful acts and loss to the affected data subjects.
The Court of Appeal subsequently upheld the lower court decision.
Of understandable concern to insurers was the fact that both lower courts, in finding that liability for potentially vast sums could be passed onto an organisation (despite the fact that it was itself the target of the wrongdoing), found comfort in the fact that the employer organisations can insure against losses caused by their dishonest employees.
Langstaff J commented: “I note that I have not been referred to a single case in which it is said that vicarious liability had overwhelmed a company. I have no doubt that this is because[WS1] many commercial entities will cover the potential losses by appropriate insurance within the ordinary course of trading”
Applying Mohamud v WM Morrison Supermarket plc and the principles set out in Various Claimants v Catholic Child Welfare Society, Langstaff J found that the fact that Morrisons were “more likely to have the means to compensate the victim and can be expected to have insured against that liability, even if breaches of data security may not historically have been a mainstream risk” as a reason why it would be just and reasonable to impose vicarious liability.
This gave rise to heightened concern that liability insurers may be required to pay out on large sums on data breaches, particularly when viewed in conjunction with the decision in Vidal, which broadened the scope beyond financial loss, to the non-pecuniary loss of distress.
The position was not improved by the Court of Appeal ruling which stated: “There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by Ms Proops on behalf of Morrisons.”
However, the Supreme Court has now ruled that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing. “On the contrary, he was pursuing a personal vendetta, seeking vengeance for his disciplinary proceeding some months earlier… Skelton’s misconduct was not so closely connected with acts which he was authorised to do so that, for the purpose of Morrisons’ liability to third parties, it can fairly and properly be regarded as being done by him while acting in the ordinary course of employment.”[PL2][WS3] The Supreme Court also found that employers could in principle be vicariously responsible for breaches of the DPA by employees.
Overall, this ruling is certainly a relief to insurers. It keeps in check the potential liabilities that could be passed their way. It is, at the same time, a stern reminder for all organisations that data protection policies and cyber security policies must be robust. Organisations can, of course, insure these liabilities - leaving aside the question around insurability of fines this case highlights the value of such cover -and Insurers may yet find themselves responding where their insured is vicariously liable for a data breach. But this ruling at least narrows the scope somewhat when it comes to actions of rogue employees and calls into question the suggestion that passing on liability to an employer is somehow more easily done because insurance is potentially in place.