Who’s responsible? Employer liability for data breaches

Are employers responsible for their employees’ data breaches?

A recent decision in the UK might allay concerns about vicarious liability for employee data breaches. But employers are not entirely home free.

Background

In April 2020, the UK Supreme Court decided that UK supermarket chain Morrisons was not vicariously liable for its employee’s malicious disclosure of confidential data.[1]

Andrew Skelton was a senior internal auditor for Morrisons. He received a verbal warning relating to his use of the Morrisons mail room for his personal business. Taking umbrage, he then planned his revenge. His opportunity came when he was tasked with transmitting payroll data to KPMG, giving him access to payroll data (including personal and banking details) of around 120,000 Morrisons’ employees  Mr Skelton took a copy of most of the data, put it online and sent it to three newspapers (using a false email address to try to frame a colleague in the process). One of the newspapers contacted notified the authorities. He also timed this disclosure to coincide with publication of Morrisons’ annual financial results in order to cause maximum damage.

Skelton was sentenced to 8 years in prison for this unlawful and criminal disclosure.

Claims of Vicarious Liability

A class action on behalf of 9,263 current and former employees were commenced against Morrisons seeking damages for distress caused by disclosure of their personal data in breach of the Data Protection Act 1998 (as it then was), breach of confidence and misuse of private information. The group claimed that Morrisons was either directly liable or liable “vicariously” as Skelton’s employer.

At the initial trial, the High Court dismissed the claim that Morrisons was directly liable but held that Morrisons was vicariously liable. It held that essentially Morrisons had put Skelton in a position where he legitimately had access to, and the ability to copy, the data and was therefore responsible for what he then did with it.  They found that there was an “unbroken thread” between Mr Skelton’s actions and the sharing of the data online. As Mr Skelton had been trusted with handling the confidential data and sharing it with KPMG, the subsequent disclosure of that information online was sufficiently connected to his employment for Morrisons to be liable.

The Court of Appeal upheld the High Court’s decision and Morrisons appealed to the Supreme Court, who overturned the decision.

Was Morrisons vicariously liable for Skelton’s actions?

Morrisons argued that Skelton was not acting in the course of his employment when he disclosed the data, and so Morrisons was not vicariously liable. For an employer to be vicariously liable for the wrongdoing of an employee, there must be a sufficiently close connection between the employee’s work and the employee’s wrongdoing, such that the wrongful actions of the employee were in the course of his employment.

The Supreme Court agreed with Morrisons.  In a unanimous judgment, five justices found that the Court of Appeal had ‘misunderstood the principles governing vicarious liability in a number of relevant respects’, including whether the employee had been acting in his ‘field of activities’ when committing the crime and if there was sufficient connection between his job and his wrongful conduct.

The Supreme Court drew a distinction between cases where an employee is engaged (misguidedly) in furthering his employer’s business, and cases where an employee is engaged solely in pursuing his own interests. ‘It is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing,’ Lord Reed, president of the Supreme Court, said. Rather, he was pursuing a ‘personal vendetta’, seeking vengeance for disciplinary proceedings.

Lord Reed observed: ‘Perhaps unsurprisingly, there does not appear to be any previous case in which it has been argued that an employer might be vicariously liable for wrongdoing which was designed specifically to harm the employer.’

Skelton was clearly pursuing his own interests when he wrongfully disclosed the payroll data, and so his conduct was not sufficiently connected with acts that he was authorised to do that it could be regarded as in the course of his employment. Therefore, Morrisons was not vicariously liable for Skelton’s actions.

Vicarious Liability and the Data Protection Act 1998 (UK)

Morrisons’ also argued that the UK equivalent of the Australian Privacy Act excluded the possibility of vicarious liability for statutory data breaches or common law wrongs, such as breach of confidence. This was rejected by the Supreme Court: ‘Attractively though this argument was presented, it is not persuasive,’ Lord Reed concluded.

Costs to Morrisons

The costs of defending the claim have not been revealed.  However, it has been reported that Morrisons spent over £2.26m in responding to the incident, much of it on identity protection for its employees, and likely spent a considerable amount of money defending this claim (not all of which will necessarily be recoverable). This expenses underlines the importance of managing data and employees properly, particularly at a time like this when the workforce at large is working remotely, and many employees are not under direct physical management supervision. [2]

What Does This Mean for Australian employers?

The same sort of reasoning around vicarious liability is likely to be used if a similar case were brought in Australia. This means that, generally, Australian employers should be more comfortable that they won’t be vicariously liable for the unauthorised actions of rogue employees.

However, the threat of vicarious liability has not been entirely removed.

Businesses should be wary that under different circumstances they could be held vicariously liability for a data breach by an employee (for example, where employees are not acting in their own interests or with intent to harm their employer).  And this potential liability may, in turn, may present an attractive prospect for litigation funders and those looking to bring class actions.

We have commented before on the rise of data breach and privacy related cases in Australia.  This UK decision may provide more impetus for a class action against an Australian employer where the acts of the individual are more directly connected with what he or she has been authorised to do.

In Morrisons, there was no opportunity for the UK Court to consider the amount of damages that should be awarded for the distress and anxiety suffered by the affected employees.  Perhaps one of the other claims making its way through the Commissioner’s review process or the Australian courts will throw some light on how compensation for data breaches that do not cause financial or other more easily quantifiable loss will be assessed.

Perhaps the most interesting court battle is yet to come.

References:

[1] WM Morrisons Supermarkets plc v Various Claimants

[2] https://www.lawgazette.co.uk/news-focus/news-focus-what-morrisons-means-for-vicarious-liability/5103786.article