Introduction
In the recent case of WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court found that Morrisons was not vicariously liable for a rogue employee who posted payroll data of around 100,000 other employees on a file-sharing website. This decision is good news for compliant businesses that nevertheless are subject to litigation as a result of data breaches and other acts perpetrated by disgruntled employees.
Background
Mr Andrew Skelton was a senior auditor in Morrisons’ internal audit team. In July 2013, Morrisons discovered that he was using the mail room at their headquarters to send items he was selling on eBay in a personal capacity. As a result, he was subject to disciplinary proceedings for minor misconduct and was given a verbal warning.
Following those proceedings, Mr Skelton harboured an irrational grudge against Morrisons. He wrote a draft resignation letter speaking of his “anger and frustration that has not diminished with the passage of time” and how he had “scant regard” for the firm.
In preparation for an external audit, in November 2013 Morrisons’ external auditors requested payroll data to test its accuracy. The head of Morrisons’ internal audit team delegated the task of collating and transmitting the data to Mr Skelton. To enable him to carry out the task, he was given access to the payroll data relating to the whole of Morrisons’ workforce, around 126,000 employees. These consisted of the name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff.
Mr Skelton searched, using his work computer, for “Tor”, a piece of software capable of disguising the identity of a computer which has accessed the internet. He also obtained a pay-as-you-go mobile phone, which could not be traced back to him. After sending the payroll data to the external auditors as he had been told to do, he surreptitiously copied the data from his work laptop on to a personal USB stick.
Mr Skelton then used the username and date of birth of a fellow employee, Mr Kenyon, to create a false e-mail account, in a deliberate attempt to frame him. Mr Kenyon had been involved in the disciplinary proceedings earlier that year. Mr Skelton linked that e-mail account to his phone and deleted the data from his work laptop.
In January 2014, Mr Skelton uploaded the file containing the data of 98,998 of the employees to a publicly accessible file-sharing website. He did this while at home, using the pay-as-you-go mobile phone, the false e-mail account and Tor. Having made this unauthorised disclosure, he deactivated the e-mail account, and deleted the data and the file from the USB stick.
On 13 March 2014, the day on which Morrisons’ financial results were due to be announced, Mr Skelton sent CDs containing the file anonymously to three UK newspapers. He purported to be a concerned member of the public who had found the file on the file-sharing website. The newspapers did not publish the data. Instead, one of them alerted Morrisons. Within a few hours, Morrisons had taken steps to ensure that the data was removed from the internet, instigated internal investigations, and informed the police.
It also informed its employees and undertook measures to protect their identities. Mr Skelton was arrested a few days later. He was subsequently convicted of a number of offences, including fraud, and was sentenced to eight years’ imprisonment. In the interim, Morrisons had spent more than £2·26m in dealing with the immediate aftermath of the disclosure. A significant element of that sum was spent on identity protection measures for its employees.
The proceedings below
A total of 9,263 former or current employees of Morrisons brought proceedings against the firm for breach of the Data Protection Act 1998 (“DPA”), misuse of private information and breach of confidence. They argued in the alternative that Morrisons should be held vicariously liable for Mr Skelton’s actions. The claimants sought damages for “distress and anxiety” caused by the data breach. The High Court made a group litigation order in connection with the claims. Ten lead claimants were selected, with the remainder of the claims being stayed pending judgment.
The trial judge, Langstaff J, rejected the contention that Morrisons was under a primary liability in any of the respects alleged, but held that it was vicariously liable for Mr Skelton's breach of statutory duty under the DPA , his misuse of private information, and his breach of his duty of confidence. He rejected Morrisons’ argument that Mr Skelton’s wrongful conduct was not committed in the course of his employment, holding that Morrisons had provided him with the data in order for him to carry out the task assigned to him, and that what had happened thereafter was “a seamless and continuous sequence of events … an unbroken chain”.
He added that Morrisons trusted Mr Skelton to deal with confidential information, and took the risk that it might be wrong in placing that trust in him. His role in respect of the payroll data was to receive and store it, and to disclose it to “a third party”. That “in essence” was his task. The fact that he disclosed it to others than KPMG was not authorised, but was nonetheless “closely related” to what he was tasked to do.
Morrisons sought to overturn this judgment in the Court of Appeal. However, like the first instance judge, the court held that the act of Mr Skelton in sending the claimants’ data to third parties was “within the field of activities assigned to him by Morrisons”. The court also agreed with the trial judge that the relevant facts constituted a “seamless and continuous sequence” or “unbroken chain” of events. Although it was an unusual feature of the case that Mr Skelton's motive in committing the wrongdoing was to harm his employer, that motive was irrelevant. The Court of Appeal therefore agreed with Langstaff J that Morrisons was vicariously liable for Mr Skelton’s wrongdoing.
Morrisons appealed to the Supreme Court.
A history of vicarious liability
The modern development of the law of vicarious liability occurred during the late 17th and early 18th centuries, when the doctrine was broadened in response to the expansion of commerce and industry. The Chief Justice at the time, Sir John Holt, explained the doctrine as resting on the principle that, where an employer employed the wrongdoer, and the employee committed a wrongful act against the claimant within the area of the authority given to him, it was fairer that the employer should suffer for the wrongdoing than the person who was wronged.
This led to an established formula introduced by Sir John Salmond in the first edition of Salmond on Torts (1907), which defined a wrongful act by a servant in the course of his employment as “either (a) a wrongful act authorised by the master or (b) a wrongful and unauthorised mode of doing some act authorised by the master”, with the elaboration that a master is liable for acts which he has not authorised if they are “so connected with acts which he has authorised, that they may rightly be regarded as modes, although improper modes, of doing them”. Although Salmond's formula was applied in many cases over the course of the 20th century, it was not universally satisfactory, particularly in cases concerned with deliberate acts of misconduct.
The Salmond formulation was stretched to breaking point in Lister v Hesley Hall Ltd [2002] 1 AC 215, which concerned the sexual abuse of children by the warden of a school boarding house. Even on its widest conceivable interpretation, the sexual abuse of children could not be described as a mode, albeit an improper mode, of caring for them. Lord Steyn, giving the leading judgment, said that it was not necessary to ask whether the acts of sexual abuse were modes of doing authorised acts. He posed the broader question whether the warden's torts were so closely connected with his employment that it would be just to hold his employers liable. He concluded that they were, stating that “the sexual abuse was inextricably interwoven with the carrying out by the warden of his duties”.
Lord Millett, in a passage in his speech which proved to be influential in later cases, suggested that the Salmond formulation could be adapted “to impose vicarious liability where the unauthorised acts of the employee are so connected with acts which the employer has authorised that they may properly be regarded as being within the scope of his employment”.
The leading case in this area, before the Supreme Court handed down its judgment in the Morrisons case, was in fact another decision involving the supermarket chain, namely Mohamud v WM Morrison Supermarkets Plc [2016] UKSC 11.
The question which arose on the facts of Mohamud was whether the employer of a petrol station attendant was liable for an assault which the attendant had perpetrated on a motorist. The motorist has entered into a sales kiosk to ask if some documents could be printed. The attendant, Mr Khan, refused the request and ordered the motorist to leave, using racist and threatening language. He then followed the motorist back to his car, opened the door and ordered him never to come back, again using threatening language. When the motorist told Mr Khan to close the door, Mr Khan assaulted him.
The first instance judge dismissed a claim against the employer on the ground that Mr Khan's actions were beyond the scope of his employment. An appeal against that decision was dismissed by the Court of Appeal. The argument made in the appeal to the Supreme Court was that the test of vicarious liability should be broadened so as to turn on whether a reasonable observer would have considered the employee to be acting in the capacity of a representative of the employer at the time of committing the tort. The court rejected that argument, holding that the test established in Lister remained good law without need of further refinement.
Applying the established test, however, the Supreme Court allowed the appeal on the facts of the case. Lord Toulson, giving the judgment of the court, stated that the connection between the employee's conduct and his employment was “an unbroken sequence of events” and “a seamless episode”. As set out above, and discussed further below, those phrases were relied on in the current Morrisons decision, both by the first instance judge and the Court of Appeal.
The connection test clarified
Lord Reed, giving the sole judgment of the Supreme Court, explained that the lower courts had misinterpreted the Mohamud decision. Lord Toulson’s judgment was not intended to effect a change in the law of vicarious liability. The judgments below focused on the following final paragraphs, in which Lord Toulson summarised the long-established principles:
“It is a fact of life, and therefore to be expected by those who carry on businesses, that sometimes their agents may exceed the bounds of their authority or even defy express instructions. It is fair to allocate risk of losses thus arising to the businesses rather than leave those wronged with the sole remedy, of doubtful value, against the individual employee who committed the wrong. To this end, the law has given the concept of ‘ordinary course of employment’ an extended scope.
If, then, authority is not the touchstone, what is? … Perhaps the best general answer is that the wrongful conduct must be so closely connected with acts the partner or employee was authorised to do that, for the purpose of the liability of the firm or the employer to third parties, the wrongful conduct may fairly and properly be regarded as done by the partner while acting in the ordinary course of the firm’s business or the employee’s employment.”
Lord Reed said that the lower courts had unduly focused on a few phrases in those paragraphs, taking them out of context and treating them as establishing legal principles.
The words “fairly and properly” were not intended as an invitation to judges to decide cases according to their personal sense of justice, but required them to consider how the guidance derived from decided cases furnishes a solution to the case before the court. It was the role of judges to identify from the decided cases the factors or principles which point towards or away from vicarious liability, and which explain why it should or should not be imposed. Following that approach, Lord Reed said, cases can be decided on a basis which is principled and consistent.
Similarly, Lord Reed held that the courts below had misinterpreted Lord Toulson’s references to “an unbroken sequence of events” and “a seamless episode”. Those terms were used by Lord Toulson to rebut the argument that the assault on the customer was unconnected with Mr Khan’s field of activities; an argument which had emphasised in particular the fact that Mr Khan had left the sales kiosk and followed the customer to his vehicle. In that regard, Lord Toulson held:
“What happened thereafter was an unbroken sequence of events. It was argued by the respondent and accepted by the judge that there ceased to be any significant connection between Mr Khan’s employment and his behaviour towards the claimant when he came out from behind the counter and followed the claimant onto the forecourt. I disagree for two reasons. First, I do not consider that it is right to regard him as having metaphorically taken off his uniform the moment he stepped from behind the counter. He was following up on what he had said to the claimant. It was a seamless episode.
Secondly, when Mr Khan followed the claimant back to his car and opened the front passenger door, he again told the claimant in threatening words that he was never to come back to the petrol station. This was not something personal between them; it was an order to keep away from his employer’s premises, which he reinforced by violence. In giving such an order he was purporting to act about his employer’s business. It was a gross abuse of his position, but it was in connection with the business in which he was employed to serve customers.”
Read in context, Lord Toulson’s comments that there was “an unbroken sequence of events”, and that it was “a seamless episode”, were not directed towards the temporal or causal connection between the various events, but towards the capacity in which Mr Khan was acting when those events took place. Lord Toulson was explaining why, in his view, Mr Khan was acting throughout the entire episode in the course of his employment.
When Mr Khan followed the motorist out of the kiosk and on to the forecourt, he was following up on what he had said to the motorist while in the kiosk. He ordered the motorist to keep away from his employer's premises. In doing so, he was “purporting to act about his employer's business”. As Lord Toulson said, “this was not something personal”.
Lord Reed found that the first instance judge and the Court of Appeal in the current Morrisons decision had therefore misunderstood Lord Toulson and misapplied the principles governing vicarious liability in a number of relevant respects.
First, the disclosure of the data on the internet did not form part of Mr Skelton’s functions or field of activities, in the sense in which those words were used by Lord Toulson. The disclosure was not an act which he was authorised to do.
Second, although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Mr Skelton for the purpose of transmitting it to the external auditors and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test.
Third, the reason why Mr Skelton acted wrongfully was not irrelevant. On the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material. Lord Reed therefore felt bound to conclude that the question of whether Morrisons was vicariously liable for Mr Skelton’s wrongdoing had to be considered afresh.
In carrying out this task, Lord Reed first considered the acts which Mr Skelton was authorised to do, namely to collate and transmit payroll data to the external auditors. There was no question that Mr Skelton had performed that task. The remaining question was whether Mr Skelton’s wrongful disclosure of the data was so closely connected with the collation and transmission of the data to the external auditors that, for the purposes of the liability of his employer to third parties, the disclosure may fairly and properly be regarded as made by him while acting in the ordinary course of his employment.
Lord Reed explained that the connecting factor between what Mr Skelton was authorised to do and his unauthorised disclosure was that he could not have made the disclosure if he had not been given the task of collating the data and transmitting it to the external auditors. It was the provision of the data to him, so that he could perform that task, that enabled him to make a private copy of the data, which he subsequently used to make the unauthorised disclosure.
Clearly, however, the mere fact that Mr Skelton’s employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability. The courts below had treated it as important that Mr Skelton’s disclosure of the data on the internet was, as the first instance judge said, “closely related to what he was tasked to do”: a remark which the Court of Appeal described as “plainly correct”.
Lord Reed stated that the fallacy in that approach was explained by Lord Wilberforce in Kooragang Investments Pty Ltd v Richardson & Wrench Ltd [1982] AC 462, which concerned an employee who was authorised to carry out valuations, and negligently carried out a valuation without authority from his employers and not on their behalf. Lord Wilberforce rejected the argument that so long as the employee is doing acts of the same kind as those which it is within his authority to do, the employer is liable, and is not entitled to show that the employee had no authority to do them. He said:
“The underlying principle remains that a servant, even while performing acts of the class which he was authorised, or employed, to do, may so clearly depart from the scope of his employment that his master will not be liable for his wrongful acts.”
Lord Reed noted with approval Lord Toulson’s dictum in Mohamud that, in applying the close connection test, it is necessary to have regard to the assistance provided by previous court decisions. Perhaps unsurprisingly, there were no recorded cases in which it had been argued that an employer might be vicariously liable for wrongdoing which was designed specifically to harm the employer. Lord Reed found that the decided cases which were most closely comparable to the present case were those concerning vicarious liability for deliberate wrongdoing intended to inflict harm on a third party for personal reasons of the employee.
A particularly relevant example was Attorney General of the British Virgin Islands v Hartwell [2004] 1 WLR 1273 , a decision of the Privy Council. That case concerned a police officer who left his post and went into a bar where his partner worked as a waitress and, in a fit of jealous rage at finding her there with another man, fired a number of shots at both of them with his service revolver. A bystander was injured and claimed damages from the Government.
The connecting factors relied upon by the bystander as satisfying the close connection test were (i) that the officer was a police officer on duty at the time of the shooting, (ii) that the place where the shooting occurred was within his jurisdiction, and (iii) that he had used a police revolver to which he was given access at the police station where he was posted and which he was permitted to use for police purposes.
It was argued that these factors created a connection between the wrongdoing and the acts which the officer was authorised to do (which might be thought to bear a close analogy to those relied on in the present case, where Mr Skelton committed the wrong using data to which he was given access at work and which he was permitted to use for an authorised purpose). Those factors were held to be insufficient. Lord Nicholls, giving the judgment of the Privy Council explained:
“From first to last, from deciding to leave the island of Jost Van Dyke to his use of the firearm in the bar of the Bath & Turtle, Laurent’s activities had nothing whatever to do with any police duties, either actually or ostensibly. Laurent deliberately and consciously abandoned his post and his duties. He had no duties beyond the island of Jost Van Dyke. He put aside his role as a police constable and, armed with the police revolver he had improperly taken, he embarked elsewhere on a personal vendetta of his own. That conduct falls wholly within the classical phrase of ‘a frolic of his own’.”
The contention that the Government was vicariously liable was rejected on the ground that since, at the relevant time, the officer had abandoned his post and embarked on a vendetta of his own, his wrongful use of the gun was not something done in the course of his employment.
Lord Reed said that this example illustrated the distinction between cases where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests. In the present case, it was abundantly clear that Mr Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. Lord Reed concluded:
“On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances, Mr Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”
The Supreme Court accordingly allowed Morrisons’ appeal.
Comment
The decision is a welcome confirmation that, where employees deliberately use personal data for a purpose which is clearly outside the scope of their duties or authority, the employer should not be liable for the resulting losses merely because the breach was carried out by an employee who legitimately had access to the data as part of his role.
Employers must still of course maintain adequate security measures and safeguards, and restrict access to personal data only to those employees who need to have access to carry out their roles, as well as conducting regular training on data protection obligations and the steps employees must take to comply. This is particularly important given that the Supreme Court’s reasoning leaves open the possibility that, on different facts, an employer might still be held liable for a data breach caused by the malicious acts of one of its employees, if there was a closer connection to their employment than with Mr Skelton.
Claims relating to data breaches in the UK are becoming more prevalent. The General Data Protection Regulations have recently been introduced, expanding employers’ data protection obligations. As evidenced by the Morrisons litigation, group actions against companies for data breaches may become more common in future.
With an increased number of people working from home and more commonly working on personal equipment, the risk of data breaches and cyber-attacks will only increase. This means that up to date data protection policies and contingency planning are of paramount importance.