Case update:  Morrisons data breach

data breach

Summary:

This is an important judgment which effectively returns the law of employers’ vicarious liability for the criminal acts of their employees back to the state it was in prior to the January 2018 High Court decision.  This decision is, in essence, that the employer will not be liable if the criminal act was not closely linked to the employee carrying out their legitimate duties.

Facts:

You may recall that back in 2014, Morrisons Supermarket was the victim of a data breach carried out by an employee, Mr Skelton.

Our original case report of the High Court decision, setting out the main facts, is available here.  Mr Skelton leaked personal details online of 100,000 of Morrisons’ employees – including their salary, bank account and NI information, as apparent retribution following a disciplinary process against him.  Skelton was jailed for this but in a claim by many of these employees, Morrisons (as Skelton’s employer) was found vicariously liable for his actions in the High Court and the Court of Appeal.

Morrisons appealed to the Supreme Court in an attempt to reverse these judgments.  It was helpful of them to do so since the judgments created a wider scope for vicarious liability for employers from the acts of their employers than had been the case previously.

Until the case, the law had not held employers vicariously liable for the criminal actions of their employees.  This is because vicarious liability has evolved as a legal concept relating to the employer having liability for something that an employee does in the course of performing their job.  Since criminal activity could hardly be said to be included in a job description (insert any jokes here), the theory of vicarious liability did not sit well when applied to Skelton’s behaviour.

However, the High Court and Court of Appeal felt that there was a sufficient connection between Skelton’s lawful performing of his role in putting the payroll data onto a memory stick and his later criminal action of uploading that data to the internet.  These decisions therefore shocked many in the legal community by seeming to greatly expand the potential liability of employers for the criminal acts of their employees, where that criminal act could even partly be traced back to their job.  With Skelton and Morrisons, the only real link here was that he had gained possession of the data lawfully, as part of his role.

Now the Supreme Court has ruled that the courts below it had misunderstood the principles of vicarious liability and so failed to appreciate that the employee’s criminal disclosure – an act of revenge against Morrisons arising from a previous disciplinary process against him – was not so closely connected with tasks which Skelton was authorised to do that (for the purposes of Morrisons’ liability to third parties) it can fairly and properly be regarded as done by him as part of his employment.

Implications:

With a certain sigh of relief, it appears that vicarious liability law now returns to what we had understood it to mean prior to the January 2018 High Court judgment.

data breach