Morrisons Data Breach – Supreme Court Decision

02 Apr 2020


The recent decision of the UK Supreme Court in WM Morrison Supermarkets plc v Various Claimants   will give some comfort to employers that they won’t be held vicariously liable for the acts of employees if those acts are carried out other than in furtherance of the employer’s business.

The Facts

Mr Andrew Skelton was a senior auditor in Morrisons’ internal audit team. In July 2013 he was subject to disciplinary proceedings for minor misconduct and was given a verbal warning.

Later that year, Skelton was tasked with collating and providing to KPMG personal data relating to Morrisons employees.  To do so, he was given access to the personal information of 120,000 Morrisons employees.

He carried out the work for Morrisons as requested.  However, he also took a series of complex steps to create the impression that Mr Andrew Kenyon, a Morrisons employee who had been involved in the disciplinary proceedings against Skelton, was responsible for data breaches.

Skelton’s schemes were elaborate and calculated. He placed the personal information of 98,998 Morrisons employees on the internet and created a series of false accounts intended to show that Mr Kenyon was responsible for the data breach. Skelton was arrested, convicted and sentenced to 8 years imprisonment for his actions.

The Claimants affected by the disclosure brought legal proceedings against Morrisons based on Morrisons alleged vicarious liability for the actions of Skelton, i.e. that the acts carried out by him were closely related to the acts he was authorised to carry out by Morrisons.

The Claimants succeeded with their claim in the High Court. Morrisons appealed to the Court of Appeal, which upheld the first instance decision in favour of the claimants. Morrisons therefore appealed to the Supreme Court.

Supreme Court Decision

The Supreme Court decided in favour of Morrisons and overturned the decisions of the lower courts. The decision is perhaps best summarised by the following quotations from cases the Supreme Court followed:

 

“The master is only liable where the servant is acting in the course of his employment. If he was going out of his way, against his master’s implied commands, when driving on his master’s business, he will make his master liable; but if he was going on a frolic of his own, without being at all on his master’s business, the master will not be liable.” Parke, B in Joel v Morison (1834)


“A distinction is to be drawn between cases ..where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase..” Lord Nicholls in Dubai Aluminium [2003] 2 AC 366 (para 32):

The key distinction to be made here is whether the employee was “furthering his employer’s business” or was acting on a “frolic of his own”. Whilst it was undoubtedly true that Skelton had been given the employee data to carry out certain acts on behalf of Morrisons, it was fairly plain that he had “frolicked” from that path significantly by carrying out the deliberate and fraudulent acts he was responsible for.

His wrongful disclosure of the data was not so closely connected with the task he had been given by Morrisons that it could fairly be said he was acting in the ordinary course of his employment. The fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to make Morrisons liable for his actions. In the case of Skelton, he was pursuing a personal vendetta and could not be said to be engaged in furthering his employer’s business.

The court went on to consider a point under the Data Protection Act 1998 (DPA), namely whether the provisions of the DPA could be said to exclude liability for vicarious liability. The court, perhaps unsurprisingly, found that the statute did not limit or exclude any separate liability for vicarious liability.

Summary

It is hard to draw too many final conclusions from this case, simply because the actions of Skelton were so extreme and so calculated.  However, the decision does help give assurance to employers that they will not be liable for the acts of employees who go off on a “frolic of their own” and thereby cease to act in the employer’s interests or in the proper pursuit of the employer’s business.

Employees who act properly within the scope of their employment and in furtherance of the employer’s business, however poorly those acts are carried out, will still give rise to vicarious liability on the part of the employer. However, the recent case does at least give comfort that employers will be liable for the acts of rogues such as Skelton.

The above is a short and simplified summary of the issues dealt with in the Morrisons case. Please contact us if you would like to know more about the case, or its implications, in further detail.