The UK Supreme Court has held today that employers are not liable for data breaches committed by rogue employees who are acting outside the course of their employment. The decision overrules a worrying decision by the Court of Appeal and will be a relief to businesses.
The case involved a disgruntled employee of the supermarket chain Morrisons, who intentionally leaked the payroll data of around 100,000 fellow employees online and to newspapers.
Around 9,000 employees sued Morrisons for compensation under the Data Protection Act (DPA) 1998, misuse of private information and breach of confidence. The High Court and Court of Appeal held that, although Morrisons was not primarily liable for the data breach, it was vicariously liable for the unlawful acts of its employee (see our summaries of those decisions here and here).
Under established law, an employer is vicariously liable for the actions of its employee if that employee is acting ‘in the course of the employment’, even if those acts are unlawful. Whether the acts are sufficiently closely connected with employment to be ‘in the course of the employment’ depends on the facts of the case. In this case, the Court of Appeal had found that they were sufficiently closely connected – the rogue employee’s acts in sending the data to third parties were ‘within the field of activities’ assigned to him by Morrisons, and there was an unbroken thread that linked his work to the unlawful disclosure.
Vicarious liability – the court’s analysis
However, the Supreme Court unanimously found that the Court of Appeal had erred in its understanding of the principles of vicarious liability. The disclosure of the data did not form part of the employee’s functions or field of activities, and the close link and unbroken chain of causation would not alone satisfy the test of close connection. Additionally, the motive of the employee was considered to be ‘highly material’.
The Supreme Court considered the question of vicarious liability afresh, applying the general test from the leading cases on whether the disclosure had been sufficiently closely connected with the employee’s authorised acts that it could ‘fairly and properly’ be regarded as done in the course of his employment. The fact that his employment had provided the opportunity for the disclosure was not considered enough to establish the required connection. There was additionally an important distinction between an employee acting to further their employer’s business (even if misguided) and embarking on a ‘frolic of his own’. The Court found it was ‘abundantly clear’ that the employee was pursuing a personal vendetta in disclosing the data. The disclosure of the data was not sufficiently connected with what the employee was authorised to do by Morrisons to find them vicariously liable for the loss suffered by employees.
Liability under the DPA/GDPR
The court also considered a specific issue under the DPA 1998, namely whether it excluded vicarious liability for an employee who was himself acting as ‘data controller’ – ie taking his own decisions about what to do with the data. The Supreme Court noted that the DPA was silent on the employer position, so the common law doctrine of vicarious liability applied – an employer could still be vicariously liable under the DPA, although that wasn’t the case here. (The DPA 1998 has since been replaced by the EU general data protection regulation (GDPR) and the DPA 2018 – but we can expect that the courts would take a similar approach.) It’s worth remembering that an employer will still be directly liable under the GDPR if an employee is acting solely under the employer’s instructions, rather than as a data controller in their own right. And if an employer fails to implement the GDPR’s data security requirements in a way that leads to a rogue employee’s data breach, the employer is also likely to be directly liable.
What should businesses do?
Although the decision will be welcomed by businesses, they should still take sensible steps to ensure that these types of data breach don’t occur in the first place. They should review how they manage 'authorised access' to their customer, supplier and employee data. In particular, they should ensure that there’s a rigorous process for assessing whether individuals are suitable to access sensitive business data. They should also have a clear and well-rehearsed data breach response plan – and consider obtaining suitable insurance. (For more discussion on cyber security best practice, you might like to listen to our podcasts.) The fact that Morrisons was not found liable does not mean that a company will never be found liable for a data breach caused by one of its employees, so robust processes are important.