Alert
Alert
By
04.03.20
In a milestone victory for the UK retailer Morrisons, the UK’s highest court has overturned a lower court ruling that the supermarket chain was vicariously liable for distress suffered by its employees following the theft and dissemination of payroll data by a former senior member of staff. Had the decision been upheld and the claim succeeded, Morrisons would have been required to pay significant class action damages to claimants.
Facts
In 2013, Morrisons granted Andrew Skelton, a senior internal auditor, access to its employee payroll information so that he could share the data with Morrison’s external advisors for auditing purposes.
In an act of revenge for a prior disciplinary action, Skelton copied and shared the payroll information of approximately 100,000 employees online.
While Skelton was handed an eight-year jail sentence for these actions, a class action was brought against Morrisons by nearly 100,000 of its former and current employees. The group claimed that Morrisons was either directly or indirectly liable for the distress suffered as a result of the theft and disclosure of their personal data.
High Court & Court of Appeal
In the first instance, in summary, the UK High Court dismissed the claim that Morrisons was directly liable for the losses suffered by the claimants.
However, on the basis that Morrisons had granted Skelton access to the payroll data, the UK High Court held that the supermarket chain could be liable on an indirect basis, via the legal principle of vicarious liability, maintaining that Skelton had stolen the data during the course of his employment. The UK Court of Appeal upheld this decision.
Supreme Court Ruling
Overturning the earlier judgments, on 1 April 2020, the Supreme Court unanimously held that Morrisons could not be vicariously liable for Skelton’s actions, which he had undertaken in “an independent venture of his own”, and outside “the course of his employment”.
For vicarious liability to be established, an employee’s wrongful act must be within the scope of his “field of activities”. In its judgment, the Supreme Court held that “Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question…he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier”.
Departing from the position taken by the lower courts, the Supreme Court further held that the temporal and causal link between Skelton’s access to the data and his subsequent disclosure did not establish liability.
It is vital that companies continue to ensure their systems and processes for securing data are robust, particularly given the risks associated with home working and the marked increase in cybersecurity attacks being seen during the COVID-19 pandemic.
This case is significant in finding that companies should not be held vicariously liable for the actions of rogue employees who act alone and outside the course of their employment.
The case fires a warning shot toward the burgeoning class action culture developing in the UK where data breaches are suffered through no fault of the company suffering the breach and brings considerable relief to companies across the UK.
Employers should, however, bear in mind that when an employee continues to act on their behalf, and a breach is suffered, the company will be on the hook for such breaches. The distinguishing feature here is that the court deemed the rogue employee to be acting on his own behalf and outside the field of activities associated with his job role. The net result is that the door is still open for vicarious liability of employers to be argued in class action cases.
It is vital that companies continue to ensure their systems and processes for securing data are robust, particularly given the risks associated with home working and the marked increase in cybersecurity attacks being seen during the COVID-19 pandemic.
In particular, companies should take steps including ensuring stringent employee privacy policies and notices in place setting out which software applications employees are permitted to use when working remotely to communicate with colleagues and clients, vigorous cybersecurity due diligence is performed before permitting any application to be used, staff are trained on the use of such tools, ensuring systems and processes are monitored and tested, and that the service contract with any such service provider contains the appropriate contractual protections, as mandated by law.
Without taking such steps it is difficult to see how a court would be quite so sympathetic towards an employer where cybercriminals accessed personal data belonging to the company and it became subject to a significant vicarious liability class action claim. The employer would almost certainly also face regulator scrutiny and become subject to a significant fine for security breaches under the General Data Protection Regulation.