Should WM Morrison Supermarkets plc be Vicariously Liable?
The Supreme Court has ruled that WM Morrison Supermarkets plc, trading as Morrisons, were not vicariously liable for the malicious acts of one of its employees, Mr Andrew Skelton (‘S’), who uploaded Morrisons’ payroll data to the internet. This result will come as a relief to many employers after the previous decision by the Court of Appeal rendered the company liable.
As a result of a verbal warning given for minor misconduct, ‘S’, an internal IT auditor at Morrisons, held a grudge towards the company. He was tasked with sending their payroll data to KPMG for external auditing purposes, however during the course of this, ‘S’ copied the data onto a personal USB stick with which he proceeded to release onto a file-sharing website.
Links to the data were posted on other websites and copies were also sent to newspaper companies. Fortunately, the newspapers did not release this information and instead informed Morrisons of the breach. Morrisons took immediate action to remove the online information and contacted the police. ‘S’ was charged and convicted under the Computer Misuse Act 1990.
A large number of co-workers brought a civil claim against the supermarket where they argued that it had primary liability for its own actions and vicarious liability for the employee’s actions.
The High Court Decision
Mr Justice Langstaff held that although Morrisons were not primarily liable for the actions of ‘S’, they were vicariously liable as there was a link between his employment and his actions, which consequently led to the breach.
The Court of Appeal Decision
The Court of Appeal found that there was no exclusion of vicarious liability within the Data Protection Act 1998. The wrongdoing occurred during the course of his employment; his decision to disclose it to other third parties, whilst not authorised, was closely connected with his task. The motive for wrongdoing is irrelevant even where the motive is to cause harm to the employer.
The Supreme Court Decision
The Supreme Court considered that ‘S’ was not furthering his employer’s business but instead was purely engaged in pursuing his own interests on “a frolic of his own”. It commented that ‘S’ was “pursuing a personal vendetta” due to the earlier verbal warning he had received, and stated;
“S’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”
Therefore, the actions of ‘S’ did not place a position of vicarious liability on Morrisons.
Employers will be relieved by the decision, as it is very difficult for a company to protect itself against the actions of a rogue employee. However, employers should still ensure that information security arrangements are put in place in order to minimise the possibility of unauthorised data leaks and that policies do not act as just a ‘tick box’ exercise.