Rogue employee’s data breach: UK supermarket chain not liable in class action
The UK Supreme Court has recently overturned decisions of lower Courts and found that a supermarket chain is not vicariously liable for a rogue employee’s cyber hack in a data breach class action.
On 1 April 2020, in WM Morrisons Supermarkets plc v Various Claimants  UKSC 12, the Supreme Court overturned the Court of Appeal’s 2018 judgment to uphold a first instance finding of vicarious liability against Morrisons in respect of its 2014 data leak.
Morrisons was the first class action in the United Kingdom dealing with cyber risks and breach of data.
Morrisons operates a chain of supermarkets in the United Kingdom.
At the material time, Andrew Skelton was a senior auditor in Morrisons’ internal audit team. Part of Mr Skelton’s role at Morrisons involved sending payroll data to an external auditor.
In July 2013, Mr Skelton had been subject to disciplinary proceedings for minor misconduct and received a verbal warning from Morrisons. Due to an ‘irrational grudge’ Mr Skelton held against Morrisons, he copied sensitive payroll data onto a personal USB stick.
Mr Skelton then posted personal details of almost 100,000 of Morrisons’ employees on a file sharing website, which included the employees’ names, addresses, gender, dates of birth, bank details and salary. Mr Skelton ‘made the disclosure when he was at home, using the mobile phone, the false email account and Tor’. Mr Skelton then sent CDs containing the data to three newspapers on the day Morrisons’ financial results were due to be announced. The newspapers did not publish the data, but instead notified Morrisons of the data breach and the leaked information was taken down within 24 hours.
Mr Skelton was arrested and charged with a number of offences under the Data Protection Act 1998 (DPA) and was subsequently found guilty and sentenced to eight years in prison.
Some affected employees brought claims against Morrisons that alleged that it:
- had breached statutory duties under the DPA, misused private information and engaged breaches of confidence; and
- should be vicariously liable for Mr Skelton’s conduct.
First instance and appeal
At first instance, Morrisons was held to be vicariously liable for Mr Skelton’s conduct, on that basis that it was within the ‘field of activities’ assigned to him and sufficiently connected to his employment.
The Court of Appeal dismissed Morrisons’ appeal of this judgment despite:
- Morrisons appearing to have done as much as it reasonably could to prevent the misuse of data; and
- Mr Skelton’s intention to cause reputational or financial damage to Morrisons.
Morrisons appealed to the Supreme Court, being the final court appeal in the UK for civil cases.
Supreme Court decision
The Supreme Court heard submissions on two main issues:
- whether Morrisons was vicariously liable for Mr Skelton’s conduct; and
- whether the DPA excluded an employer’s vicarious liability for statutory torts committed by the employee under the DPA or the misuse of private information and breach of confidence.
Vicarious liability for Mr Skelton’s conduct
The Supreme Court held that the Court of Appeal had ‘misunderstood the principles governing vicarious liability in a number of relevant respects’.
The Supreme Court applied the test of whether Mr Skelton’s wrongful conduct was so closely connected with acts that he was authorised to undertake by Morrisons that the conduct may fairly and properly be regarded as done by Mr Skelton in the course of his employment. In doing so, the Court found the Court of Appeal had been in error by:
- too broadly interpreting the ‘field of activities’ assigned to Mr Skelton. Mr Skelton’s disclosure of the personal data of Morrisons’ employees on the internet, for his own purposes, did not form part of his functions or field of activities, nor was it an act he was authorised to undertake;
- considering factors listed by Lord Phillips in Various Claimants v Catholic Child Welfare Society 2 AC 1 , the application of which should be limited to the separate question of whether vicarious liability should be imposed on a party for the actions of someone who is not an employee;
- finding that Mr Skelton’s motive was not relevant. Mr Skelton’s motive was relevant, and ‘whether he was acting on his employer’s business or for purely personal reasons was highly material’. Mr Skelton had committed the wrongdoing, pursuing his own ‘personal vendetta’, which equated to a ‘frolic of his own’, rather than being engaged in furthering Morrisons’ interests.
Effect of decision on employers and insurance
This decision will no doubt bring some comfort to employers, as it realigns the extent of their responsibilities for the actions of a rogue employee in a cyber attack and data breach context, when employees act outside their scope of duties purely for personal reasons. This particularly for employees who act on a ‘frolic of their own’ and are not ‘acting in the course of their employment’.
This decision is in contrast to a wave of earlier decisions in UK lower courts that sought to expand the scope of vicarious liability, and marks a return to the common sense interpretation of the phrase ‘frolic of their own’, on which previous UK vicarious liability cases had been founded, which may flow on to the Australian legal system.
The earlier decision of the Court of Appeal referred to the availability of insurance as an answer to the potentially large number of claims to which ‘innocent’ corporates might be exposed, and that insurance was ‘a valid answer to the Doomsday or Armageddon arguments’, while noting the fact that a defendant is insured is not a reason for imposing liability. The Supreme Court made no such reference to insurance, which is in line with the conventional approach taken by Courts to not rely on insurance considerations when deciding whether liability should be imposed.
Implications for Australia
This decision has clarified the position in the United Kingdom (arguably to be more in line with Australia):
- from vicarious liability being found where employment provides no more than an opportunity for the wrongful act to be committed, to liability being based on other factors (in Australia that includes where the employment provides the occasion for the wrongful conduct);
- to a seemingly more common-sense approach, which considers the motive of the employee, narrowly considers the ‘field of activities’ assigned to them and requires more than opportunity to carry out the wrongful conduct and whether the conduct was exclusive to the employees’ duties.
In these time of global uncertainty due to COVID-19, Australian business have required many employees to work from home. Some of those employees have access to sensitive or privileged information. This decision should serve as a reminder to employers to ensure that checks are in place that limits the ability of employees to perform actions beyond their roles within the field of their activities. Failures to have proper security checks and procedures in place may lead to exposure for employers beyond possible vicarious liability findings for the actions of an employee.
Employers should be especially vigilant to take appropriate precautions to mitigate cyber, employment and privacy risks, which may include:
- ensuring regular written and web-based communications with employees;
- reminding employees of pre-existing or new COVID-19 policies and procedures, especially with respect to the company’s privacy protocols while working remotely;
- ensuring proper systems security, monitoring and data access limitations are in place to limit the ability of employees to act on a ‘frolic of their own’ within systems;
- carefully considering an employee’s disciplinary action, and the ability for an employee to breach data protocols remotely, if they become disgruntled as part of that process;
- considering whether their current liability insurance is sufficient to cover the increased risks of employees working from home who have access to personal or sensitive data;
- providing additional training on duties of confidentiality and data-handling best practices.
Gilchrist Connell has a wealth of experience handling cyber and employment matters. If you have any questions, please contact the authors.
 As considered in our October 2018 Limelight article, ‘When will an employer be vicariously liable for an employee’s cybercrime?’