The Court of Appeal has upheld a decision of the High Court holding that an employer can be vicariously liable for data breaches caused by the actions of an employee, even where the employee’s actions were specifically intended to harm the employer. This decision is significant as it means a company can be held liable to compensate affected data subjects for loss caused by a data breach, even where the company has committed no wrongdoing and regardless of the employee’s motive.
In reaching this conclusion, the Court of Appeal confirmed that the Data Protection Act 1998 (DPA) does not preclude an employer from being vicariously liable at common law for an employee’s misuse of private information or breach of confidence. Whether or not an employer is ultimately found to be vicariously liable will depend on two factors; (i) the nature of the employee’s job and (ii) whether there is a sufficient connection between the position in which the employee was employed and their wrongful conduct.
The employee in this case was a senior IT internal auditor employed by a UK-based supermarket chain Morrisons. He held a grudge against his employer following disciplinary proceedings. Subsequently, in 2014, he leaked payroll information of almost 100,000 employees which included names, addresses, national insurance numbers, bank accounts and salaries. The employee was arrested and convicted for various criminal offences. A group of 5,518 employees whose data had been disclosed brought a claim against Morrisons, alleging misuse of private information, breach of confidence and breach of statutory duty under section 4(4) DPA 1998. They claimed Morrisons should be held both directly liable for the losses arising out of the breach, and vicariously liable for the wrongful acts of the employee.
In the High Court, it was held that Morrisons was not directly liable in respect of any breach of confidence or misuse of private information. In addition, it was the employee, rather than Morrisons, who was the data controller at the time of any breach of Data Protection Principles. The Court did, however, find that Morrisons fell short of its obligations under the seventh principle (i.e. to take appropriate technical and organisational measures to protect data against unauthorised or unlawful processing) as there was no organised system for the deletion of data on the employee’s computer. However, this did not make Morrisons directly liable as that failure neither caused nor contributed to the unauthorised disclosure which occurred.
With regard to vicarious liability, the High Court rejected Morrisons’ arguments that the DPA excludes any possibility of vicarious liability or that the effect of the DPA is to exclude any scope for vicarious liability under the common law torts of misuse of private information or breach of confidence. Applying previous case law in this area, the Judge held there was a sufficient connection between the position in which the employee was employed and his wrongful conduct to make it appropriate for Morrisons to be held vicariously liable.
The Court of Appeal judgement
The Court of Appeal held that the High Court Judge had been correct to find that the DPA does not exclude either the possibility of vicarious liability or an employer’s vicarious liability at common law for an employee’s misuse of private information and breach of confidence.
In relation to the question of vicarious liability the Court of Appeal applied the test used by the Supreme Court in Mohamud v Wm Morrison Supermarkets plc (a case which, co-incidentally, also involved Morrisons supermarkets) . The test requires the court to consider two matters; first, what functions or ‘field of activities’ have been entrusted by the employer to the employee; and second, whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable.
The Court of Appeal agreed with the High Court that the first question was satisfied by the fact that the employer deliberately entrusted the employee with the payroll data. It was a task specifically assigned to him. His role was to receive, store the data and disclose it to a third party. The fact that he chose to disclose it to a third party other than the external auditors was not authorised, but it was closely related to what he was tasked to do.
Counsel for Morrisons argued that the second limb of the test i.e. a “sufficient connection”, was not satisfied since the tortious act which caused the harm was done by the employee at his home, using his own computer on a non-work day and several weeks after he had downloaded the data on to his personal USB stick. However, the Court of Appeal judgment stated that there are numerous cases in which employers have been held vicariously liable for torts committed away from the workplace. It agreed with the High Court that the employee’s actions were an unbroken thread that linked his work to the disclosure and were a “seamless and continuous” sequence of events which had all been part of a plan.
One feature of the case that the Court felt was novel was that the motive of the employee was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party. Morrisons argued that to impose vicarious liability on the employer in these circumstances would render the Court an accessory in furthering the employee’s criminal aims. Morrisons also argued that a finding of vicariously liability would be contrary to public policy, as this would place an enormous burden on innocent employers. However, the Court rejected both of these arguments and affirmed the position that an employee’s motive is irrelevant, even in circumstances where the motive is to cause financial or reputational damage to the employer.
The Next Steps
This judgment affirms that employers can be held vicariously liable for employee’s actions even where an employer has no primary liability and has taken steps taken steps to prevent employees misusing personal data which they have access to. Vicarious liability may even arise where the misuse or disclosure was effected purely for the purpose of damaging the employer.
This will, understandably, be concerning to employers, particularly as the nature of personal data breaches means the likelihood is that many data subjects will have been affected. Even if the loss suffered per person is minimal, an employer’s total liability can be huge where there are thousands or even millions of affected data subjects, particularly bearing in mind the ability of affected data subjects to seek compensation for non-material harm such as distress which is enshrined in GDPR and the Data Protection Act 2018. Interestingly, the Court suggested that the solution for employers to protect themselves against claims of “potentially ruinous amounts” is to insure against losses caused by dishonest or malicious employees. How the insurance market will react to this reasoning remains to be seen, but clearly, this is indicative of a growing expectation that liability risks in this area will be insured and may lead insurers adopt a cautious approach at the underwriting stage.
Morrisons have indicated that they intend to appeal to the Supreme Court. Should the decision survive this final appeal, focus will then shift to the quantum of compensation to be awarded to each employee, at which point the full extent of the liability risk to employers will be clearer. The stage may then be set for a range of similar claims to be brought against employers in future on a group litigation basis.
This post was co-written with Steven Hadwin, Mya Joel and Marcus Evans and can also be seen in the Data Protection Report.
Vicarious liability in the data breach context – bad news for UK employers?