Morrisons wins Supreme Court appeal against finding of vicarious liability in data breach class action

Today the Supreme Court handed down its decision in Wm Morrisons Supermarkets Plc v Various Claimants [2020] UKSC 12, bringing to its conclusion a case which had the potential to alter significantly the data protection and cyber security litigation and class action landscape.

The headline news is that Morrisons has been found not to be vicariously liable for the actions of a rogue employee in leaking employee data to a publicly available file-sharing website.

The judgment will likely result in a collective sigh of relief for organisations who have been watching closely to track their potential liability for data breach class actions. However, it is important to note that the Morrisons case and judgment is very fact specific; it does not close the door on data breach class action compensation as a whole. Boardrooms should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.

Background

In 2015 a former Morrisons employee was found guilty of stealing and unlawfully sharing the personal data (including names, addresses, bank account details, salary and national insurance details) of almost 100,000 of Morrisons’ employees with members of the press and with data sharing websites. At the time, the ICO investigated and found no enforcement action was required with respect to Morrisons’ compliance with the Data Protection Act 1998 (“DPA”).

Nevertheless, around 5,000 Morrisons employees brought a claim for damages – irrespective of the fact that they had not suffered any financial loss. Instead, the employees claimed that Morrisons was vicariously liable for the criminal acts of its employee and for the resulting distress caused to the relevant employees.

For full details of the background to the High Court and Court of Appeal arguments, please see our previous Morrisons data protection briefing. Following the conclusion of the Court of Appeal case, the Supreme Court subsequently granted leave to appeal, which led to a two day hearing in November 2019 and, ultimately, the judgment handed down today.

Decision

The Supreme Court overturned the Court of Appeal’s decision, finding that Morrisons was not vicariously liable for the employee’s unlawful actions. Lord Reed gave the judgment of the court, with which Lady Hale, Lord Kerr, Lord Hodge and Lord Lloyd-Jones agreed.

Lord Reed concluded that the courts below had misunderstood the principles of vicarious liability, and in particular had misinterpreted the Supreme Court’s judgment on vicarious liability in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11. That judgment was not intended to change the law on vicarious liability, but rather to follow existing authority including, importantly, Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48.

In Dubai Aluminium, Lord Nicholls identified the general principle that applies when the court considers the question of vicarious liability arising out of an employment relationship: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

Applying that test, vicarious liability was not established in this case. The Supreme Court found that the employee’s wrongful conduct was not so closely connected with the acts he was authorised to do that, for the purposes of assessing Morrisons’ liability, it could fairly and properly be regarded as being done in the ordinary course of his employment.

Lord Reed referred to the distinction drawn by Lord Nicholls in Dubai Aluminium between cases “where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.”

In the present case, he said, it was clear that the employee was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary he was pursuing a personal vendetta against the company, seeking revenge for disciplinary proceedings some months earlier. In those circumstances, the close connection test was not met.

Although it did not affect the outcome, in light of the court’s findings, Lord Reed also considered Morrisons’ contention that the DPA excludes the imposition of vicarious liability in relation to data breaches under that Act and for the misuse of private information or breach of confidence – in effect that the DPA is a statutory scheme which “owns the field” in this respect. The Supreme Court rejected this argument, stating that: “the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breaches of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.”

Implications of the decision

Data privacy implications

Although this case was argued under the repealed Data Protection Act 1998, it will likely result in a collective sigh of relief for organisations now subject to the GDPR which expressly allows individuals to claim compensation for non-material damages (including distress) caused by non-compliance with the regulation. This is exactly the decision that many organisations wanted. In a world where companies can already be fined up to EUR 20 million or 4% of annual worldwide turnover for non-compliance with the GDPR, there are real fears concerning the potential for additional significant liability under class action claims for data breaches. Many organisations will be comforted by the steps that the Court has now taken to reduce the likelihood of such claims being successful.

However, it is important to caution against too much optimism. The Morrisons case was quite unique because the compensation claim was brought by individuals despite no regulatory action being taken by the ICO at the time of the data leak itself. The decision is no guarantee that similar claims would fail in circumstances where the regulator agrees that there has been a breach of the security requirements under the GDPR, such as has been the case when you look at some of the recent big data breaches we have seen which are starting to result in significant fines from the ICO.

Despite the claim not being successful in this instance, another, perhaps unintended, consequence of the case is that employers will be seriously considering what steps can to taken to mitigate against the risk of rogue employees leaking personal data. This may result in increased employee monitoring in the workplace, with all the data privacy implications that that may entail.

Employment implications

The “close connection” test for rendering an employer vicariously liable for an employee’s actions (as described above) is well established. What has been less clear is how broadly that test should be applied to the facts. For example, it was suggested that the Supreme Court’s ruling in Mohamud v WM Morrison Supermarkets meant that, where an employee’s role involves interacting with customers in some way, an employer might be vicariously liable for the employee’s conduct towards customers even if the employee engages in a wholly different nature of interaction from that envisaged (such as by using force or away from the usual work station) and regardless of motive.

Given there is no ‘reasonable steps’ defence against vicarious liability for torts, employers will welcome today’s ruling which rows back from that liberal interpretation of the test. The Supreme Court has made clear that the mere fact that the job provides the employee with “the opportunity to commit the wrongful act” is not sufficient to impose vicarious liability, nor is the fact that the wrongful act was the culmination of an unbroken temporal or causal chain of events regardless of the employee’s motive. Doing acts of the same kind as those which it is within the employee’s authority to do is not sufficient either.

The test is whether the wrongful act was sufficiently closely connected with what the employee was authorised to do. In Mohamud it was key that the employee was purporting to act on his employer’s business, threatening the customer not to return to the employer’s premises, and not acting to achieve some personal objective. In contrast, in the current case “the employee was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” The ruling helpfully re-establishes that employers should not be liable for the acts of employees engaged on “frolics” of their own, pursuing their own objectives.

Cyber and data security implications

While the spectre of no fault liability presented by Morrisons has fallen away, there is still a significant risk from fault based claims. ICO is imposing substantial fines upon organisations for inadequate technical and organisational security measures. Claimants are cutting and pasting adverse findings from the ICO into claim forms. Organisations will have to make sure that the measures they are taking are appropriate, which will involve considering many factors including state of the art and the harm that may be caused if the security measures fail.

Class actions implications

Data breach class actions are on the rise in the UK and today’s judgment should be seen as a setback not a roadblock. Funders and claimant firms are looking to build class actions in relation to data breaches even where there is no specific evidence of individual damage. They are seeking damages for the whole class for “distress” or a standardised claim of loss of access to data and even a nominal damages award per claimant could lead to a significant amount over a class of tens or hundreds of thousands. Today’s judgment will not reverse that trend, but it will at least mean that companies who are themselves victims of data breaches by employees will not also face such claims on this basis alone.

The key question for the viability of those claims will be how much a bare data breach is “worth” by way of damages, even if there’s no other loss suffered by the victim. We will have to wait a bit longer now to find that out. The principles applied in misuse of private information cases may be helpful to the courts in considering this issue, given how little case law there is on damages in data protection claims.

Insurance implications

The judgment is good news for corporates and their insurers. The expectation of the courts below had been that insurance was the answer to the point that the judgment effectively helps achieve the rogue employee’s aim – namely to harm Morrisons. Insurers may therefore also be breathing a sigh of relief – but only up to a point. Vicarious liabilities for data breaches by rogue employees are insurable in principle, but these claims are not doomsday for the insurance market. That’s because the main risk for corporates – and therefore insurers – is direct liability claims and related losses, which continue apace on an upwards trajectory.

The good news for concerned corporates is that they can buy cyber insurance to cover data breach claims, whether for direct or vicarious liabilities, as well related losses such as costs of managing the incident, regulatory investigations and loss of profits if systems are impacted. However, risk transfer strategies within corporates vary, and that cover cannot necessarily be banked upon in all cases. The main challenge therefore remains – and is not answered here: how much cover would I need to buy for a reasonable worst case, and is that available at reasonable cost on a good wording. Given that the measure of damages is still unclear, this issue will continue to be wrestled with.

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Tim Leaver
Tim Leaver
Partner, Employment, Pensions & Incentives, London
+44 20 7466 2305
Julian Copeman
Julian Copeman
Partner, Disputes, London
+44 20 7466 2168
Greig Anderson
Greig Anderson
Partner, Disputes, London
+44 20 7466 2229
Andrew Moir
Andrew Moir
Partner, Global Head of Cyber Security, London
+44 20 7466 2773
Kate Macmillan
Kate Macmillan
Consultant, Disputes, London
+44 20 7466 3737
Lauren Hudson
Lauren Hudson
Associate, Digital TMT & Data, London
+44 20 7466 2483
Anna Henderson
Anna Henderson
Professional Support Consultant, Employment, Pensions & Incentives, London
+44 20 7466 2819
Maura McIntosh
Maura McIntosh
Professional Support Consultant, Disputes, London
+44 20 7466 2608

Game changer for cyber/data breach cases opens in Supreme Court: WM Morrisons Supermarkets Plc v Various Claimants

The Supreme Court in England has two issues to consider in the appeal which opens today. First, should the company be held to be vicariously liable for the acts of its employee in this case? It concerns, after all, a rogue employee, who took payroll data with which he was entrusted home on a USB stick and uploaded it onto a file sharing website. The company was a victim; the employee motivated by a grudge against it. He was convicted of crimes and sentenced to 8 years imprisonment. If the answer to this question is yes, business says it places a huge burden on it, at a time when the cyber incident insurance market is still developing. What are the consequences in practice for how business should monitor and carry out surveillance of employees? Should employers never let employees handle special types of personal data alone? Should employers monitor employees’ laptops routinely, or only if they suspect misuse of personal data?

The second issue is the extent to which data protection law “owns” the field in terms of remedies. Can claimants rely on other causes of action in data breach cases? Does the Data Protection Act 1998 prevent the application of vicarious liability to a breach of the Act?  Does it exclude the application of the tort of misuse of private information or the equitable doctrine of breach of confidence to breaches of that Act?

If the claim against Morrisons is ultimately successful, there will be a further hearing to consider the quantum of damages, and the all-important question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.

Andrew Moir, head of Herbert Smith Freehills’ global cyber security practice commented: “If the Court of Appeal’s decision stands it will likely pave the way for future data breach related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable”.

The judges hearing the case are: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones.

Kate Macmillan, a consultant in our cyber security team, is attending the Supreme Court today and will be reporting live on the submissions.  You can follow her here.

Andrew Moir
Andrew Moir
Partner and Global Head of Cyber Security, London
+44 20 7466 2773
Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Christine Young
Christine Young
Partner, London
+44 20 7466 2845
Greig Anderson
Greig Anderson
Partner, London
+44 20 7466 2229
Kate Macmillan
Kate Macmillan
Consultant, London
+44 20 7466 3737

Storming the Breaches: DCMS releases Cyber Security Breaches Survey 2019

Cyber-attacks are a continuous threat to both businesses and charities. From the Cyber Security Breaches Survey 2019 (available here as a PDF), we can see that fewer businesses are identifying breaches than in previous years, but the ones that are identifying breaches are typically experiencing more of them. Approximately 32% of businesses and 22% of charities report having cyber security breaches/attacks in the last 12 months. The most common type of cyber security breaches reported are: Continue reading

British Airways Data Breach: ICO announces potential £183 million ‘mega fine’

  • The ICO has published a notice of its intent to fine British Airways £183.39 million for its 2018 data breach where the personal data of 500,000 customers was stolen by hackers;
  • This is the first ‘mega fine’ issued by a European data regulator since the implementation of the GDPR;
  • The ICO acted as lead supervisory authority and has confirmed that it has been liaising with other EU privacy regulators;
  • No details have yet been published by the ICO regarding the specific GDPR infringements involved;
  • British Airways now has the chance to respond to the notice of intent, after which a final decision will be made by the ICO.

Continue reading

Latest twist in the Morrisons Case: Supreme Court grants Morrisons permission to appeal

On 15 April 2019, the Supreme Court granted supermarket chain Morrisons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data in the first successful UK class action for a data breach.

Permission was granted on all grounds of appeal and the Supreme Court will principally consider:

  1. whether the common law doctrine of vicarious liability is excluded in cases that engage the data protection legislation (i.e. where the primary tortfeasor’s actions amounted to a breach by the tortfeasor of his or her own obligations under the data protection legislation);
  2. if the doctrine is excluded in respect of claims brought by reference to the data protection legislation, whether it is equally excluded in respect of any related common law or equitable causes of action; and
  3. if the doctrine is not excluded, whether the Court of Appeal in any event erred when it decided to uphold the conclusion that Morrisons was vicariously liable in the circumstances of the case.

This latest twist in the Morrisons tale follows the Court of Appeal dismissing an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data in October 2018, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339.

Click:

  • here for our previous article on the Court of Appeal’s judgement and here for the Court of Appeal’s full judgement
  • here for our summary of the High Court decision.

Continue reading

Cyberattack on German Public Figures Leads To One of Germany’s Largest Data Breaches

Last week, it was announced that during December 2018 almost one thousand German public figures, including journalists and a number of prominent politicians including the Chancellor and President, were the subject of one of Germany’s largest data breaches. The leaked data included contacts, private chats, credit card details and other financial details of figures from many of the major German political parties. The German interior ministry have since stated that there is no evidence that government systems or data have been compromised in the cyberattack. Continue reading