Background
Vicarious liability is a legal concept that involves one person being held responsible for the acts of another person. In employment law, this most often involves an employer being held liable for an act committed by one of its employees.
Being held vicariously liable can have serious consequences for the employer, particularly financially. For example, in relation to equality issues, an employer may be liable for an employee committing an act of discrimination, where the potential damages are uncapped. Moreover, it generally makes more sense for an employee to sue the employer as well as the perpetrator, as the employer tends to have more financial resources at its disposal to pay any compensation.
It is possible for an employer to defend itself when an employee tries to argue vicarious liability. In some cases, that defence will be that the offending employee was not acting within the course of his or her employment. However, the developing case involving data breaches at Morrisons supermarkets suggests that the courts will not easily accept such a defence.
The facts of the case and original decision
In July 2015, Andrew Skelton (a former Morrisons employee) was convicted of stealing and sharing the personal data of around 100,000 Morrisons employees. The data was sent to the media and data sharing sites. Mr Skelton has since been sentenced to eight years in prison.
Around 6,000 of the affected employees brought a claim against Morrisons, arguing that it should be held both directly and vicariously liable for the actions of Mr Skelton and the distress caused by their data being leaked.
The High Court (HC) did not uphold the claim of direct liability as it did not find that Morrisons breached any data protection principles, apart from in one inconsequential manner.
However, the HC did find Morrisons vicariously liable for Mr Skelton’s actions, as it decided that he had acted in the course of his employment when he stole and shared the data. This finding was made despite the HC’s acceptance that Mr Skelton had deliberately shared the data as an attack on Morrisons.
The Court of Appeal’s decision
Morrisons appealed that decision on a number of grounds, some of which were more technical in nature. For the purposes of this article, Morrisons argued that Mr Skelton did not act in the course of his employment when he stole and shared the data.
The Court of Appeal (CA) stated that two questions had to be answered. Firstly, what functions or ‘field of activities’ was Mr Skelton entrusted with and, secondly, whether there was a sufficient connection between his position and the wrongful conduct to support a finding of vicarious liability.
The first question was straightforward, as Morrisons entrusted Mr Skelton with dealing with the relevant data.
For the second question, Morrisons argued that there was not a close enough connection between his role and the leak of the data, as it was done at Mr Skelton’s home, on his home computer, at the weekend, weeks after he took the data from Morrisons’ systems.
However, the CA was not persuaded by that argument. It agreed that the time and place of the misconduct was relevant, but not decisive in itself. It also held that the sharing of the data with the media and websites was within the field of activities assigned to him by Morrisons.
Morrisons also referred to the HC’s acknowledgement that Mr Skelton had leaked the data to deliberately harm Morrisons, and argued that finding vicarious liability would render the court an accessory in furthering Mr Skelton’s criminal aims.
Again the CA was not persuaded, stating that it is settled law that an employer can be vicariously liable for purposeful wrongdoing.
Accordingly, Morrisons’ appeal was unsuccessful.
What does this mean?
This case is clearly concerning from an employer’s perspective, as it is difficult to see what Morrisons could have done any differently. They were found to have (mainly) adequate safeguards in place in relation to data protection. Mr Skelton’s role made it appropriate for him to have access to the data, and he had no authorisation to leak it as he did.
It remains to be seen whether the case will be appealed further, but it seems likely that Morrisons will be keen to do so.
Another point of concern is that this case was decided on pre-GDPR principles. Had it been otherwise, the obligations on Morrisons may have been considered through a much stricter lens and its liability may have been greater.
With the above in mind, employers should ensure that they are (where possible) adequately insured against such events, and that they have appropriate technical and organisational measures in place to prevent them as far as possible.
If you have any questions on any of the issues raised in the above article, please contact Seanpaul McCahill.