Supreme Court signals limits of vicarious liability in Morrisons case

Data Protection
A recent Supreme Court decision regarding supermarket chain Morrisons has attracted much attention as it clarifies the conditions under which a company is not responsible for an employee that goes rogue.

However, far from being an absolute Get Out of Jail Free card, little has actually changed under the law itself. The Morrisons’ result is essentially a “recalibration” of the law which had become a little blurred.

Another fact remains clear: a frolic can be a dangerous thing.

What happened at Morrisons could have taken place at any other company: a disgruntled employee (Skelton) did not respond well to disciplinary action. During the course of his employment as a senior internal auditor, he had access to considerable personal data, for the purposes of completing an auditing task. Acting on a grudge stemming from the employment action, he posted payroll data of almost 100,000 Morrisons’ employees on the internet, then helpfully notified the press of his actions. Morrisons acted quickly by removing the data from the internet, investigating the incident thoroughly and alerting the police. 

Despite Morrisons’ swift actions, and advice that “we’ve seen absolutely no evidence of anyone suffering any direct financial loss”, the supermarket was not able to quash a class action by 9,000 employees under common law, and the Data Protection Act 1998 (as was in place at the time) for misuse of private information and breach of confidence; the first data leak class action in the UK. 

Morrisons lost a battle in the Court of Appeal in October 2018 when the court upheld the High Court’s decision that the company was vicariously liable for the actions of its rogue employee. As well as the exposure to compensation claims, the supermarket chain faced considerable negative publicity.

In what some are viewing as a change to the legal concept of vicarious liability, the Supreme Court decided that there was no vicarious liability on Morrisons; no doubt a welcome reprieve for employers everywhere. (Many would agree that it would be unfair for the supermarket to be vulnerable to a substantial class action when it had not actually done anything wrong). 

Interestingly, the Supreme Court looked very closely at the principles of vicarious liability and the various historical applications of those principles under case law and decided that, rather than rewrite the law, it was tasked with restating it, opining that the law was correct but had been applied inappropriately in the lower courts.

 

The overriding principles are clear:

Field of activities

The first issue to be determined is: what field of activities has been entrusted by the employer to the employee? 

In this case, although Skelton had access to the data in the course of his role, which he could release to external auditors, his responsibilities did not extend to posting information to the internet. Online disclosure of data was not within his field of activities.

 

Sufficiently Close Connection 

The second issue is: is there a sufficiently close connection between the role for which the individual was employed and that individual’s wrongful acts?

When Skelton posted to the internet, was he acting on his employer’s business or was he off on a “frolic of his own”? His actions were not sufficiently connected to his job description. Those actions were in no way furthering the business for which he was employed. Skelton had clearly acted outside the boundaries of his job description as releasing the data to the world was not close enough to his allowable sharing of information.

Incidentally, the fact that Skelton had the opportunity to share data in the way that he did was not sufficient to warrant a finding of vicariously liability. The unbroken chain between the provision of data to Skelton and his ultimate misuse of it, did not satisfy the close connection test.

It was held by the Supreme Court that the reason for wrongful disclosure was highly material. Skelton was pursuing a personal vendetta – his motivation was outside the realm of his duties. His actions were taken within a personal context, for highly personal reasons.

The Supreme Court drew a clear distinction between Skelton’s actions and the actions of a petrol pump attendant in another recent case. The attendant got into an altercation with a motorist after the motorist went into the sales kiosk to enquire whether some documents could be printed. The attendant hurled racial abuse at the motorist and ordered him to leave the premises.

It was held that the capacity in which the event took place was critical. The petrol attendant’s job was to attend to customers and respond to inquiries and ultimately, the attendant’s actions were within the field of activities that he was authorised to undertake. Responding to the motorist’s request was within his job description, albeit the conduct itself was offensive and entirely inappropriate. The attendant was acting on his employer’s business, and not pursuing private ends and the employer was vicariously liable.

 

Facts Are Everything

So, an employer is still vicariously liable for the actions of rogue employees if those actions are closely connected with their work responsibilities. 

It is clear that the application of these two principles and the ensuing outcome, is very much circumstance-specific. A specific factual analysis will determine the extent of the wrongful conduct compared with the scope of the job description. Unfortunately this doesn’t necessarily provide us with the absolute certainty we might prefer.

Another case , held that “[t]his lack of precision is inevitable, given the infinite range of circumstances where the issues arises. The crucial feature or features, either producing or negativing vicarious liability vary widely from one case or type of case to the next. Essentially the court makes an evaluative judgment in each case, having regard to all the circumstances and, importantly, having regard also to the assistance provided by previous court decisions.”

What is clear is that nothing in the Morrisons judgment detracts from the vicarious liability of an employer for the actions of employees within the ambit of their job. Put another way according to another old case , if an employee injures someone whilst out driving a cart, if the employee is on “master’s business”, the master will be liable but if the employee is “going on a frolic of his own”, there is no liability on the master. 

Putting this into the context of a data privacy breach by a rogue employee, if the dissemination of information on a wider scale, or posting to the internet is part of that employee’s job description, vicarious liability for the malicious acts of that employee could ensue. 

 

Any Other Issues?

The issue of vicarious liability did not make it past first base in the Supreme Court. On that basis, a second argument that Data Protection Act 1998 excluded vicarious liability, was somewhat academic. However, the Supreme Court did give a position, holding that there was nothing in that Act that precluded a finding of vicarious liability on an employer – again, no change to the prevailing legal position.

While the old Data Protection Act has been superseded, there was no commentary to suggest that the advent of the GDPR and Data Protection Act 2018 might cause the Supreme Court’s decision to be any different; the imposition of a statutory liability is not inconsistent with the imposition of vicarious liability at common law.

Interestingly from an insurance perspective, there was a consideration by the Court of Appeal in the Morrisons case, that an employer holding insurance for losses arising from acts of malicious employees, was a relevant factor in the finding of vicarious liability. In the Supreme Court however, the existence of any insurance policy covering the actions of a rogue employee was not deemed a relevant issue in determining the employer’s liability. This will bring some comfort to employers that where an employee is acting outside the scope of employment, those actions should not erode certain insurances.

As a final comment, the issue of class actions recently brought to the fore  by the Court of Appeal’s decision in Google v Lloyd has not been moved forward by this case. The door remains open.

Meanwhile, Skelton’s frolic landed him 8 years in prison with anything but an open door.

For further information, please contact: 
Vanessa Cathie, Account Executive, Global Professional & Financial Risks
Tel: + 44 (0)20 7933 2478
Email: Vanessa.Cathie@uk.lockton.com

Similar articles

Cyber
Insight

Lockton Cyber Security Report 2017

UK businesses severely unprepared for the seismic aftershocks of a cyber attack

What other companies can learn from TSB’s IT outage
Insight

TSB IT failure: lessons learnt

A recent IT failure has highlighted some of the risks companies can face when digitising their business.

Fake news: a real risk to profits and reputation
Insight

Fake news: a real risk to profits and reputation

Fake news is affecting more and more businesses. Planning your response in advance could make the difference.

Cyber Risk and COVID-19
Insight

Cyber risks and the COVID-19 pandemic

The spread of the new coronavirus and the resulting disease, COVID-19, has created immense challenges and hardships for individuals and companies. Unfortunately, some of those challenges are in the cyber arena.