UK Supreme Court Rules on Employer Liability for Data Breaches

On 1st April 2020, the UK Supreme Court handed down its decision in Various Claimants versus WM Morrisons Supermarkets. This decision decidedly overruled the Court of Appeal, which the Supreme Court stated ‘misunderstood the principles governing vicarious liability in a number of relevant respects, of which were particularly important’.

In overruling the Court of Appeal, the Supreme Court held that Morrisons was not vicariously liable for a data breach maliciously caused by a former ‘rogue’ employee who was acting outside the course of his employment. The decision came as a surprise to employers across the UK who feared increased data breach liability due to the recent implementation of the General Data Protection Regulation (GDPR) in 2018.

Review the following guidance for background information on the case, the Supreme Court decision and key implications of this decision for employers.

Case Background

In 2014, an employee of Morrisons posted personal details (eg salary and bank account information) of almost 100,000 Morrisons employees online and later notified the press of the data breach. Around 9,000 employees brought a class action lawsuit against Morrisons, alleging that the supermarket was directly or vicariously liable for:

  • Breach of the Data Protection Act 1998 (DPA 1998)
  • Misuse of private information
  • Breach of confidence

The High Court found that Morrisons did not have direct liability under the DPA 1998 because the employee acted independently from his employer. However, the Court did find Morrisons vicariously liable for the data breach.

Under established law, an employer is vicariously liable for the actions of its employee if that employee is acting ‘in the course of the employment’, even if those acts are unlawful. Whether the acts are sufficiently ‘closely connected’ with employment to be ‘in the course of the employment’ depends on the facts of the case.

On appeal, the Court of Appeal found that the acts were sufficiently closely connected. That is, the rogue employee’s acts in sending the data to third parties were ‘within the field of activities’ assigned to him by Morrisons, and there was an unbroken thread that linked his work to the unlawful disclosure.

Supreme Court Decision

After appealing to the Supreme Court, the Court found that the ‘close connection’ test developed in previous case law was not satisfied, and therefore vicarious liability could not be imposed on Morrisons. The Supreme Court reasoned that:

The employee’s actions in causing the data breach were not within the ‘field of activities’ of the employee. This means that his actions were not so closely connected with that task that they could be fairly and properly regarded as made by him while acting in the ordinary course of his employment.

The mere fact that the employee’s role gave him an opportunity to commit the act is not sufficient to give rise to vicarious liability.

Morrisons is not vicariously liable where the employee was not furthering Morrisons’ business and, instead, was pursuing a personal vendetta.

Key Implications for Businesses

The Supreme Court decision does not eliminate, but will likely suppress the appetite for group litigation arising from data breaches. Because this decision does not rule out the possibility that a successful claim for a data breach caused by a rogue employee could be brought in the future, employers must remain on high alert. All it would take for a finding of vicarious liability is for an employee to satisfy the ‘close connection’ test when they caused a data breach.

In addition, keep in mind that this incident occurred prior to the implementation of the GDPR—which effectively replaced the DPA 1998. In any future cases that focus on data breach incidents occurring after 25th May 2018, the GDPR will apply.

Lastly, it is important to remember that Morrisons did, in fact, ensure a sufficient level of security. The lower courts did not find any fault on the supermarket’s security measures in connection with the breach. Rather, the case was decided entirely on the employee’s actions. Had Morrisons not had sufficient security to safeguard its data, the outcome of this case would likely have been different.

In response to this decision, it’s important for employers like you to ensure adequate technical and organisational measures prevent the risk of a data breach. These measures include:

  • Implementing appropriate security systems to allow for the earliest possible detection of a data breach
  • Conducting regular staff training on cyber-security best practices and data breach response protocols
  • Reviewing procedures for identifying which individuals are authorised to access sensitive organisational data
  • Defining the scope of employees’ responsibility for personal data protection
  • Implementing a detailed cyber-continuity and incident response plan to help mitigate the potential impacts of a breach
  • Ensuring all data protection and cyber-security measures are compliant with the GDPR

For more guidance on data protection requirements, cyber-security best practices and cyber-insurance solutions, contact us today.