An employer may be vicariously liable for a data breach caused by the tort of an employee depending on the circumstances.
WM Morrison Supermarkets plc v. Various Claimants, 2020 UKSC 12, per Lord Reed rev’g 2017 EWHC 3113 (Q.B.) and 2018 EWCA Civ 2339 (Eng. C.A.)
Facts + Issues
The Defendant Morrisons operated a supermarket chain. One of its employees, Skelton, disclosed the confidential employment file data for approximately 100,000 employees on the internet.
Skelton was employed by Morrisons as a senior auditor in Morrisons’ internal audit group. He had been disciplined by the company in July 2013 for minor misconduct which involved another employee, Kenyon. Skelton “harboured an irrational grudge against Morrisons, which led him to make the disclosures in question” (para. 3).
In particular, Morrisons had its accounts audited by external auditors, KPMG, annually. In November 2013 KPMG requested payroll information from Morrisons as part of its audit process. Skelton’s boss assigned him the task of collating and transmitting the data to KPMG. Skelton was given access to the payroll data for that purpose.
Skelton found a website for Tor software, which enables someone to disguise the identity of a computer for internet access. He bought a pay-as-you-go cell phone that was untraceable to him. On 13 November 2013 he obtained the payroll data from Morrisons for the purpose of forwarding it to KPMG and he carried out that task. On 18 November 2013 he copied the data from his work computer to a personal USB stick surreptitiously. In January 2014 Skelton uploaded the personnel data to a public website from his personal USB stick, employing his untraceable cell phone while he was at home. He employed a false email account he had set up in the name of Kenyon with the intention of framing him and the Tor software. He then deactivated the false email account and deleted the data from his USB stick.
Later, Skelton sent CDs containing the personnel data to several newspapers, claiming to be a concerned citizen who had found it on the public website. The newspapers did not publish the data but brought the data breach to the attention of Morrisons.
After an internal investigation and a police investigation, Skelton was charged with a number of crimes, convicted and sentenced to 8 years in prison. Morrisons had spent more than £2.26 million in responding to the data breach.
In a class action, the employees sued Morrisons for breach of the Data Protection Act, 1998 and in vicarious liability for Skelton’s breach of the DPA and the common law torts of misuse of private information and breach of confidence.
The English Queen’s Bench found that Morrisons was not directly liable for breach of the DPA, but was found vicariously liable for Skelton’s breach of the DPA and for the torts of the common law torts alleged. He rejected Morrisons’ argument that an employer could not be vicariously liable for a breach of the DPA. He held that his employer had provided him with the opportunity to steal the data by giving it to him for a legitimate task within the scope of his employment and characterized the misconduct as “a seamless and continuous sequence of events … an unbroken chain”, within the meaning of Mahamud v. WM Morrison Supermarkets plc  AC 677 (U.K.S.C.). In that case, an employee at a petrol station got into an argument with a customer, left his kiosk, approached the customer at the latter’s vehicle and admonished him to never return to the station, and then assaulted the customer.
On appeal to the U.K. Court of Appeal it was admitted that there was nothing in the DPA which excluded vicarious liability. It upheld the trial judgment, finding that ‘[t]he tortious acts of Mr. Skelton in sending the claimants’ data to third parties were in our view within the field of activities assigned to him by Morrisons’ and ‘emphasized that the events constituted a “seamless and continuous sequence” or “unbroken chain” of events” (para. 14). The Court of Appeal recognized that the situation the employee’s motive to harm the employer was a unique feature of the case, but that the employee’s motive was irrelevant to the vicarious liability analysis per Mohamud.
Morrisons appealed to the U.K Supreme Court, raising the following issues:
- Whether Morrisons was vicariously liable for Skelton’s misconduct; and
- If so, whether or not vicarious liability was excluded under the DPA.
HELD: For the Defendant Morrisons; appeal allowed and Morrisons absolved of vicarious liability.
- The Court held that Morrisons was not liable in vicarious liability and the Courts below had misunderstood the test for vicarious liability, including as set out by Lord Toulson in Mohamud as Skelton was acting to fulfill a personal vendetta, as opposed to furthering the employer’s business. His motive was not irrelevant to the issue of vicarious liability.
- The Court reviewed the development of the principles of vicarious liability.
- The starting point was the adoption of the two-part Salmond test, as discussed in Mohamud:
Lord Toulson went on to refer to the familiar formula introduced by Sir John Salmond in the first edition of Salmond on Torts (1907), pp 83-84, and repeated in later editions, which defined a wrongful act by a servant in the course of his employment as “either (a) a wrongful act authorized by the master or (b) a wrongful and unauthorized mode of doing some act authorized by the master”, with the amplification that a master is liable for acts which he has not authorized if they are “so connected with acts which he has authorized, that they may rightly be regarded as modes - although improper modes - of doing them” (Lord Toulson’s emphasis:  AC 677, para 25). Lord Toulson explained that, although Salmond’s formula was applied in many cases over the course of the 20th century, it was not universally satisfactory, particularly in cases concerned with deliberate acts of misconduct.
- The Court found that “the Salmond formulation was stretched to breaking point in Lister v Hesley Hall Ltd  UKHL 22 where a boarding school was exonerated of vicarious liability for the warden’s sexual abuse of children. That Court found that the misconduct was “a mode, albeit an unauthorized mode” of carrying out the warden’s duties per part 2 of the Salmond test. The misconduct was held to be “inextricably interwoven with the carrying out by the warden of his duties” and were “so closely connected with acts which the employer has authorized that they may properly be regarded as being within the scope of his employment”.
- The Court held (at para. 22) that in Dubai Aluminium Co Ltd v Salaam  UKHL 48;  2 AC 366 the House of Lords had correctly enunciated the principles of vicarious liability.
- Specifically the Court reiterated the following principles from Dubai Aluminium:
22. ... it is a fact of life, and therefore to be expected by those who carry on businesses, that sometimes their agents may exceed the bounds of their authority or even defy express instructions. It is fair to allocate risk of losses thus arising to the businesses rather than leave those wronged with the sole remedy, of doubtful value, against the individual employee who committed the wrong. To this end, the law has given the concept of ‘ordinary course of employment’ an extended scope.
23. If, then, authority is not the touchstone, what is? ... Perhaps the best general answer is that the wrongful conduct must be so closely connected with acts the partner or employee was authorized to do that, for the purpose of the liability of the firm or the employer to third parties, the wrongful conduct may fairly and properly be regarded as done by the partner while acting in the ordinary course of the firm’s business or the employee’s employment. Lord Millett said as much in Lister v Hesley Hall Ltd ...
This ‘close connection’ test focuses attention in the right direction. But it affords no guidance on the type or degree of connection which will normally be regarded as sufficiently close to prompt the legal conclusion that the risk of the wrongful act occurring, and any loss flowing from the wrongful act, should fall on the firm or employer rather than the third party who was wronged ...
This lack of precision is inevitable, given the infinite range of circumstances where the issue arises. The crucial feature or features, either producing or negativing vicarious liability, vary widely from one case or type of case to the next. Essentially the court makes an evaluative judgment in each case, having regard to all the circumstances and, importantly, having regard also to the assistance provided by previous court decisions. In this field the latter form of assistance is particularly valuable.” (Original emphasis)
- The Court held the principle emerging from Dubai Aluminum was that “the wrongful conduct must be so closely connected with acts the employee was authorized to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment” (para. 23). Further, the Court held:
The general principle set out by Lord Nicholls in Dubai Aluminium, like many other principles of the law of tort, has to be applied with regard to the circumstances of the case before the court and the assistance provided by previous court decisions. The words “fairly and properly” are not, therefore, intended as an invitation to judges to decide cases according to their personal sense of justice, but require them to consider how the guidance derived from decided cases furnishes a solution to the case before the court. Judges should therefore identify from the decided cases the factors or principles which point towards or away from vicarious liability in the case before the court, and which explain why it should or should not be imposed. Following that approach, cases can be decided on a basis which is principled and consistent.
- The Court held that Lord Toulson in Mohamed had not deviated from the Dubai Aluminum principles, as suggested by the Courts below (para. 26):
… Plainly, the close connection test is not merely a question of timing or causation, and the passage which Lord Toulson cited from Dubai Aluminium makes it clear that vicarious liability for wrongdoing by an employee is not determined according to individual judges’ sense of social justice…
- Lord Reed held that the Courts below had misinterpreted Mohamed in holding that the employee’s motive is irrelevant in all cases. In Mohamed it was held that the employee’s rage was irrelevant because it had not made a material difference to the finding of vicarious liability on the facts of that case.
- The Court held that Morrisons’ vicarious liability had to be considered afresh because the Courts below had misinterpreted the relevant case law:
It follows from the foregoing that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of relevant respects, of which the following were particularly important. First, the disclosure of the data on the internet did not form part of Skelton’s functions or field of activities, in the sense in which those words were used by Lord Toulson: it was not an act which he was authorized to do, as Lord Nicholls put it. Secondly, the fact that the five factors listed by Lord Phillips in Various Claimants v Catholic Child Welfare Society  2 AC 1, para 35, were all present was nothing to the point. Those factors were not concerned with the question whether the wrongdoing in question was so connected with the employment that vicarious liability ought to be imposed, but with the distinct question whether, in the case of wrongdoing committed by someone who was not an employee, the relationship between the wrongdoer and the defendant was sufficiently akin to employment as to be one to which the doctrine of vicarious liability should apply. Thirdly, although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to KPMG and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test. Fourthly, the reason why Skelton acted wrongfully was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material.
- Lord Reed concluded that Morrisons was not vicariously liable for Skelton’s misdeeds.
- He held as follows:
34. The connecting factor between what Skelton was authorized to do and the disclosure is that he could not have made the disclosure if he had not been given the task of collating the data and transmitting it to KPMG. It was the provision of the data to him, so that he could perform that task that enabled him to make a private copy of the data on 18 November 2013, which he subsequently used to make the disclosure on 12 January 2014.
35. Clearly, the mere fact that Skelton’s employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability…
- Per Dubaie Aluminum a distinction must be drawn between a case where an employee misguidedly furthers his/her employer’s interest and one where the employee is involved in a personal “frolic of his own”:
47. All these examples illustrate the distinction drawn by Lord Nicholls at para 32 of Dubai Aluminium  2 AC 366 between “cases ... where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.” In the present case, it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances, applying the test laid down by Lord Nicholls in Dubai Aluminium in the light of the circumstances of the case and the relevant precedents, Skelton’s wrongful conduct was not so closely connected with acts which he was authorized to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.
- The Court held that the DPA did not exclude the possibility of vicarious liability.
Canadian courts have suggested that an organization may be vicariously liable for an employee’s intrusion upon seclusion. As set out in more detail below, Grossman v. Nissan Canada, 2019 ONSC 6180 a class action was certified against Nissan after one of its employees improperly accessed confidential information and made a ransom demand threatening to disclose this information unless he was paid. The Court followed the prior decisions in Evans v. Bank of Nova Scotia, 2014 ONSC 2135; lv to app. ref’d 2014 ONSC 7249, and Daniels v. McLellan, 2017 ONSC 3466 in certifying a class action against Nissan in vicarious liability for the intrusion upon seclusion. In Daniels v. McLellan a nurse (McLelland) had improperly accessed the confidential information of a number of patients. The Court certified a class action against McLellan’s employer (a hospital) in vicarious liability for intrusion upon seclusion.
However, none of these Canadian decisions reveal little about the employment duties of the employees in question and they did not hold that the employer was vicariously liable, only that an argument for vicarious liability was not doomed to fail in the end. They do not mention any of the decisions in the seminal U.K. case of Various Claimants v. Wm Morrisons Supermarket PLC. An employee of a supermarket company had copied and posted confidential records of a number of the company’s employees online, seeking vengeance against the company for having recently disciplined him on an unrelated matter. In extensive review of the law of vicarious liability, the trial and appeal courts held the company blameless of any direct negligence but liable in vicarious liability. The U.K. Supreme Court reversed and exonerated the employer, finding that there was insufficient connection between the employee’s misconduct and his employment duties. Thus, the Canadian cases and Morrisons unanimously support the proposition that an employer may be vicariously liable for the data breach tort of an employee, depending on the factual circumstances.