Whether or not an employer can be vicariously liable for a rogue employee’s data breach is a key question that is often asked since the GDPR was introduced 4 years ago. In recent years there has been an increased focus on data protection from both businesses and individuals.
The legal test for an employer’s vicarious liability
The legal test is the “close connection test”, which says that in situations where an employee carries out a negligent act, for the employer to be held vicariously liable (i.e. responsible) the act must be closely connected to the work that the employee was employed to do.
In a first of its kind group action, a case against Morrisons by a group of employees made its way through the court system and it was finally decided by the Supreme Court in April 2020, just as the pandemic began to bite. The Supreme Court found, that based on the facts of that case, that Morrisons was not vicariously liable for the actions of its employee in disclosing the pay roll data of 100,000 colleagues onto the internet. It reiterated the position that for an employer to be responsible for an employee’s actions, its actions had to be closely connected to the duties the employee had in their role.
The case had to go all the way through the court system to reach this conclusion though, with the Court of Appeal initially finding that Morrisons was responsible for the employee’s actions which caused concern for employers at risk of finding themselves in a similar situation.
Mr Skelton, who released the information, was a senior IT internal auditor employed by Morrisons. His actions were fuelled by a grudge in response to a disciplinary he received for using Morrisons postal facilities for his personal use.
Morrisons asked Mr Skelton to provide payroll data to KPMG, who requested it for external auditing purposes. However, after copying the data onto a USB stick and passing it onto KPMG he also copied it onto a personal USB stick. Subsequently, he released the data onto a file-sharing website and sent copies to newspaper companies. Mr Skelton posted this data on an account which he created under his colleague’s name.
Mr Skelton denied three counts of fraud, but was found guilty and sentenced to eight years in prison in 2015. It is estimated that his actions cost the supermarket around £2million.
The High Court Decision
A group of Morrisons employees alleged that Morrisons had breached the Data Protection Act 1998 which applied at the time. The High Court decided that Morrisons had put in place appropriate and adequate data protection controls and had complied with the Data Protection Act 1998. However, in December 2017, the High Court ruled that Morrisons was still vicariously liable for Mr Skelton’s actions as his employer.
The Court of Appeal Decision
Morrisons appealed on two points.
- Firstly, it argued that the Data Protection Act 1998 expressly or impliedly excludes employers from being vicariously liable for their employees’ actions, and that it would be unreasonable for this to apply given the impact on small businesses of this liability. The Court of Appeal rejected this argument, and suggested that employers should have adequate insurance in place to cover this risk.
- Secondly, Morrisons argued that the High Court had been wrong to find it was responsible for Mr Skelton’s actions under the vicarious liability test. For an employer to be vicariously liable for the actions of its employee, the court must:
- consider the nature of the responsible employee’s job; and
- decide whether there is a sufficient connection between the employee’s role and the wrongful conduct that occurred.
Essentially the test is whether the actions were done in the course of the employee’s employment, or were separate to this.
Morrisons argued that because Mr Skelton had downloaded the data several months before posting it, had published the data from his home on a Sunday and used his personal laptop, there wasn’t a sufficient connection between his role and his actions.
The Court of Appeal rejected this argument. It agreed with the High Court that there was an unbroken chain of events leading to the wrongful conduct and there was no reason for Mr Skelton to be “on the job” when the breach actually occurred. The key here was that Mr Skelton’s role specifically involved handling payroll information, which was the information he illegally disclosed. The employee’s role in respect of the payroll data was to receive it, store it and disclose it to a third party, namely the external auditor. His unauthorised disclosure was therefore closely related to what Morrisons had tasked him to do. Further, when the employee received the data and covertly copied it to his USB stick, he was acting as an employee and the chain of events from then until disclosure was unbroken. For the reasons above, the High Court held there to be a sufficiently close connection between the employee’s employment and his wrongful conduct, making it right for Morrisons to be held liable.
The Court of Appeal felt that Mr Skelton’s motives (and the fact that his conduct was criminal) was not relevant.
The Supreme Court’s Final Decision
Luckily for Morrisons, on appeal to the Supreme Court, the Court of Appeal decision was reversed and the final decision in this landmark case was that Morrisons was not vicariously liable for the actions of this employee.
The Supreme Court found that to hold Morrisons vicariously liable then they would have had to be convinced that the employee’s act in disclosing the data was “so closely connected with acts he was authorised to do that…. his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.’
On the facts, however, the judges agreed that this test wasn’t met. The employee wasn’t “furthering his employer’s business” when he leaked the information on the internet. He was acting personally. He was pursuing a personal vendetta because he was unhappy about the disciplinary action taken against him. The Supreme Court concluded that his actions couldn’t fairly and properly be regarded as having been done by him while acting in the ordinary course of his employment.
The implications for employers
The final Supreme Court decision was a big relief for not just Morrisons but also other employers. The decisions of the earlier courts in this case would have had huge implications for employers if Morrisons hadn’t continued to pursue their appeal.
To avoid being in a similar position as Morrisons in the future, the starting point for employers is to ensure that they have compliant data protection policies in place and have updated these to comply with the more vigorous requirements under the GDPR.
As the Court of Appeal highlighted, employers should also ensure they have insurance cover that covers not only negligent acts by employees, but losses covered by malicious employees.
Where a data protection breach does occur, employers should act quickly to minimise the impact on the individuals affected, and improve their systems to prevent further breaches.
If you need help updating your data protection policies to ensure you are adequately protected, please get in touch with any member of the Employment team.
To find out more about your data protection obligations and how we can help please see links below: