The High Court in London has handed down a judgment establishing that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.

This means that a company can be held liable to compensate affected data subjects for loss – including non-pecuniary loss such as upset and distress – caused by a data breach, even when the breach was caused by an employee with no wrongdoing having been committed on the part of the company.

The judgment will be welcomed by activist data subject groups seeking greater means of redress in relation to data breaches. However, a note of caution should be sounded as to the significance of the judgment. The judgment grants the defendant leave to appeal the finding of vicarious liability, having given a very broad interpretation to the various requirements which need to be satisfied in order for vicarious liability to be established. In this regard, the judgment notably acknowledges that the finding of vicarious liability could lead to the paradoxical result of furthering the intention of the rogue employee – which was to cause financial harm to his employer. It remains to be seen, therefore, whether the findings of the judgment will survive the appeals process.

The Facts

In 2014, a rogue employee of the UK-based supermarket chain Morrisons leaked the payroll data of almost 100,000 Morrisons employees  – including their names, addresses, national insurance numbers, bank accounts and salaries. The employee, a Mr. Skelton, was ultimately given an eight-year prison sentence for various criminal offences as a result of his actions, including under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

A group of 5,518 former and current employees of Morrisons subsequently brought a claim against Morrisons in the English courts, alleging breaches by Morrisons of the DPA as well as an equitable claim for breach of confidence and a tort claim for misuse of private information. The claimants argued that Morrisons should be held directly liable for the losses arising out of the breach, or vicariously liable for the acts Mr. Skelton.

Morrisons defended the claims on the basis that it could not be held liable, either directly or vicariously, for Mr. Skelton’s unauthorised criminal misuse of data to which he had access.

The Judgment

The court held that:

  1. Primary liability could not be imposed on Morrisons under the DPA, for breach of confidence or for misuse of private information. This finding was made on the basis that it was not Morrisons itself which caused the data breach – rather, the breach was caused by Mr. Skelton, acting without authority and criminally. As such, Morrisons did not directly misuse any information personal to the affected data subjects, nor did it authorise such misuse or permit it by carelessness.
  2. However, vicarious liability could be imposed on Morrisons in relation to the actions of Mr. Skelton. In this regard, the court referred to the existing body of case law in finding that:
  • An employer such as Morrisons can be held liable for the acts of their employees “in the conduct of the employees’ employment”; and
  • Mr. Skelton’s actions in leaking the data were committed in the conduct of his employment. The court gave this term the broad interpretation which the Supreme Court applied in 2016 (in an unrelated case in which Morrisons was co-incidentally also the defendant) in finding that there was “sufficient connection” between the position in which Mr. Skelton was employed and his wrongful conduct in leaking the data; and
  • The drafting of the DPA does not preclude the imposition of vicarious liability on a company in circumstances where direct liability for a breach of the DPA would rest with an employee (in this case, Mr. Skelton).

The judgment does not deal with the issue of quantum, which will be determined at a later date. For the time being therefore, the compensation to be awarded to the affected employees as a result of Morrisons’ vicarious liability is unknown.

The Next Steps

Morrisons’ appeal of the judgment is expected to be lodged shortly. The judgment does not allow for a cross-appeal on the issue of whether Morrisions should be primarily, as well as vicariously, liable – but it is not inconceivable that the claimants might seek leave to appeal this point as well. There remains much to play for in the case, and the appeal process will be closely monitored by UK employers and potential claimant groups in the coming months.

If the finding of vicarious liability on the part of Morrisons is upheld, employers will need to come to terms with a significantly greater liability risk relating to the actions of their employees in the context of data breaches.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.