Data breaches and vicarious liability – a warning to business

In WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339, the Court of Appeal re-affirmed the principles of vicarious liability, making it clear that businesses should strongly consider using insurance to protect themselves from large data breaches by employees. This was an important judgment that affirmed that a change in the law was not appropriate.

The power of a disgruntled employee

In March 2014, Andrew Skelton posted the payroll information of 99,998 Morrison Supermarkets (“Morrisons”) employees on the internet. Mr Skelton was a disgruntled employee who was attempting to hurt Morrisons after he fell out with it during a disciplinary procedure. Mr Skelton was convicted of fraud by abuse of position, as well as various other offences and sentenced to eight years’ imprisonment. A group of over 5,000 Morrisons employees brought a claim against the supermarket for breach of confidence, misuse of private information and a statutory breach of the Data Protection Act 1998.

Liability: primary and vicarious

In the High Court, the judge found that Morrisons was not primarily liable for the data breach. The supermarket had procedures and policies in place and was not itself negligent. However, the judge found Morrisons vicariously liable for the actions of its employee. The judge also dismissed Morrison’s arguments that the Data Protection Act had excluded the possibility that it could be held to be vicariously liable. The judge did, however, consider it concerning that, by imposing liability, the courts were acting in a manner which aided Mr Skelton’s motives in damaging the company, and he granted permission to appeal to the Court of Appeal.

The Court of Appeal upheld the first instance of the judgment. Importantly, it declined to make an exception to the rule that the motive of the employee is not a relevant factor in deciding whether vicarious liability should be imposed.

Not negligent but still liable

There must be some sympathy for Morrisons; it was found not to be negligent, having put in place the necessary protections and compliance procedures, but still liable when a rogue employee released the highly confidential data of its staff. The consequences of this breach will be hugely costly, and the perpetrator of the crime has the pleasure of seeing Morrisons financially damaged.

On the other hand, it would be no remedy to the claimants to impose damages on Mr Skelton; he is almost certainly unable to pay the compensation they seek. It is a longstanding principle of law that an employer may be vicariously liable for deliberate wrongdoing by an employee. The question of whether there is such vicarious liability is highly fact-specific, but as this case demonstrates, ultimately the motive of the employee is not a relevant factor.  This will be the case even where the motive is to act unlawfully to damage the employer.

Insurance is vital

In the judgment the Court of Appeal also noted that – given that the amounts which may be payable in these types of cases may be ruinous to a company – it remains open to businesses to insure themselves against “such catastrophes”, including for losses caused by malicious employees. With so much important data held by a myriad of companies, data breaches are becoming more common. The right insurance may provide adequate protection, and is likely to become essential for all businesses, big and small.