Despite Morrisons’ victory in the Supreme Court last week over the actions of a disgruntled employee, the ruling did not entirely extinguish the threat to businesses from vicarious liability

Data leaks lost some of their potential to harm businesses last week when the Supreme Court killed off the UK’s first group action over such a breach. Grocery giant Morrisons was found not to be vicariously liable for the criminal acts of a disgruntled employee, who published online the personal details of 100,000 staff.

However, the landmark judgment does not entirely muzzle the threat of vicarious liability – nor of the eyewatering damages claims that could follow.

In a unanimous judgment, five justices found that the Court of Appeal had ‘misunderstood the principles governing vicarious liability in a number of relevant respects’, including whether the employee had been acting in his ‘field of activities’ when committing the crime and if there was sufficient connection between his job and his wrongful conduct.

The breach occurred when Andrew Skelton, then a senior internal auditor, was tasked with transmitting payroll data to KPMG. Harbouring a grudge against his employer, Skelton published the data online. He also sent it to three newspapers, one of which alerted the authorities. He received an eight-year jail sentence and 9,000 Morrisons employees brought a group action seeking compensation.

In WM Morrisons Supermarkets plc v Various Claimants, president of the Supreme Court Lord Reed allowed Morrisons’ appeal, finding that the online disclosure of the data was not part of Skelton’s ‘field of activities’, as it was not an act he was authorised to do. He added that ‘although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to KPMG and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test.

‘It is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing,’ Lord Reed said. Rather, he was pursuing a ‘personal vendetta’, seeking vengeance for disciplinary proceedings.

Lord Reed observed: ‘Perhaps unsurprisingly, there does not appear to be any previous case in which it has been argued that an employer might be vicariously liable for wrongdoing which was designed specifically to harm the employer.’

The Supreme Court did not accept, however, that the Data Protection Act 1998 (now replaced by the 2018 act and the General Data Protection Regulation) excludes imposition of vicarious liability for either statutory or common law wrongs. ‘Attractively though this argument was presented, it is not persuasive,’ Lord Reed concluded.

Lawyers say the judgment should be welcomed – albeit cautiously – by UK businesses. Adam Rose, commercial and data protection partner at Mishcon de Reya, said: ‘Employers – and the insurance sector (which might have been asked to cover much of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees. They must still comply with the security requirements of GDPR, but – as long as they do – they shouldn’t find themselves defending an action in which they were also arguably a victim.’

However, the judgment does not wholly eliminate the risk of vicarious liability. ‘This decision will only be of limited comfort for companies that experience a data security breach,’ said Matthew Felwick, class actions specialist and partner at Hogan Lovells. ‘The court’s reluctance to totally exclude vicarious liability gives another potential tool to claimant lawyers, further increasing the already considerable risks of data class actions in the UK. We are seeing more actions brought by large groups of claimants for damages for the distress and anxiety caused by the misuse of personal data, irrespective of financial loss, and this decision will do little to slow that trend.’

Uncertainty also hangs over the financial situation of the parties. Manchester firm JMW Solicitors, which acts for the claimants, refused to disclose how the lengthy litigation was funded. Meanwhile international firm DWF, representing Morrisons, did not reveal whether it will be pursuing any litigation funder for costs.

Perhaps the most interesting court battle is yet to come.