In the first group litigation of its kind, more than 5,000 employees of WM Morrison Supermarkets plc (“Morrisons”) sought to claim damages from Morrisons in the High Court for (i) breach of confidence; (ii) the misuse of private and confidential information; and (iii) for breach of statutory duty under section 4(4) of the Data Protection Act 1998 (the “DPA”). It was claimed that Morrisons was either primarily responsible under those causes of action or vicariously as a result of the actions of a disgruntled employee. The High Court found Morrisons was not primarily responsible. However, according to the High Court, there was a sufficient connection between the position in which the disgruntled employee was employed and his wrongful act so as to make Morrisons vicariously liable. Morrisons appealed to the Court of Appeal.
The disgruntled employee was a senior IT internal auditor at the relevant time. He had been subject to a disciplinary hearing and sanctioned with a formal verbal warning. Several months after the disciplinary hearing, he was provided with an USB containing the personal information of approximately 100,000 employees containing bank details and salary information. The disgruntled employee was tasked with providing the data to Morrisons’ auditors which he did, once he had copied the private information onto his laptop. Several weeks later, the disgruntled employee copied the information on his personal USB and, using a colleague’s credentials, posted the data onto a file sharing website.
There were three grounds of appeal, which were:
(i) the DPA excludes the application of vicarious liability;
(ii) the DPA excludes the application of the equitable and tortious causes of action for breach of confidence and misuse of private information; and
(iii) the judge was wrong to conclude that the wrongful actions of the disgruntled employee occurred during his course of employment with Morrisons and accordingly Morrisons was not vicariously liable.
The respondents issued a respondent’s notice seeking to uphold the Order of the High Court on the additional ground that the High Court should have taken into account the disgruntled employee’s duty of preserving confidentially which he was under as a result of his employment by Morrisons.
1. The first and second grounds of appeal
The Court of Appeal dealt with the first and second grounds of appeal together, explaining that the first ground of appeal was “merely a stepping stone” for the contention by Morrisons that there could no vicarious liability for the misuse of private information or breach of confidence.
Firstly, the Court of Appeal explained that it was “obvious” that had Parliament intended for “such a substantial eradication of common law or equitable rights, it might have been expected to say so expressly”. Secondly, there was an inconsistency in Morrisons’ arguments. On the one hand, they had conceded that tortious and equitable causes of action existed in parallel with the obligations under the DPA, in respect of the primary liability of the disgruntled employee and his wrongful action. However, on the other hand, Morrisons contended vicarious liability for the same causes of action had been excluded by the DPA. This was a “difficult line to tread” because it presented an inconsistency in the application of one of the main objects of the DPA, “namely the protection of privacy and the provision of an effective remedy for its infringement…rather than their curtailment”. The DPA was silent on the liability of an employer who was not a data controller for breaches by an employee who was a data controller. As a result, vicarious liability was not expressly or impliedly excluded by the DPA.
2. The third ground of appeal
The Court of Appeal agreed with the High Court’s evaluation that the disgruntled employee’s wrongful action occurred during his period of employment with Morrisons. His actions constituted a “seamless and continuous sequence” of events that was properly planned out. Moreover, there were numerous cases when an employer was held liable for acts committed by an employee away from the work place.
An odd feature of this case, which led to the High Court granting permission to appeal, was the motive of the disgruntled employee. He committed the wrongdoing not for any personal benefit but to harm Morrisons. Thus, by finding Morrisons vicariously liable, the Court was furthering the disgruntled employee’s aim. However, by not finding Morrisons vicariously liable in circumstances where financial loss had occurred, the respondents would have had no other recourse than against the disgruntled employee.
The Court of Appeal unanimously upheld the High Court’s decision and found Morrisons vicariously liable as a result of the actions of a disgruntled employee.
Following the Court of Appeal’s decision, employers may now find themselves liable for the wrongful actions of their employees, in circumstances where they themselves were nonetheless compliant with data protection legislation but the wrongful action was carried out by one of their employees and was intended to harm them.
Depending on whether or not Morrisons’ appeals to the Supreme Court and the outcome of any such appeal, Morrisons could find themselves liable to more than 5,000 former and current employees for damages, which potentially could be ruinous. The Court of Appeal suggested a solution to such “catastrophes” would be for employers to insure against such losses which are caused by dishonest or malicious employees. However, it would remain to be seen how effective such policies would be and to what extent they would cover the exposure. The introduction of exclusions and policy limits may well be contemplated by insurers following the Court of Appeal’s decision.
It is worth noting that the breach in question occurred under the DPA, rather than under the GDPR, which came into force in May of this year. With the expansion of data subject rights since the introduction of the GDPR and following the Court of Appeal’s decision, we may start to see class actions bought forward by more conscious employees in the event of data breaches. Employers should take steps to not only ensure their ongoing compliance with data protection legislation but should look to take steps to protect themselves against dishonest or malicious employees, particularly in the context of data protection.
For further information, please contact Alexander Edwards or the Partner with whom you usually deal.