On October 22, 2018, the Court of Appeal of England and Wales gave its judgment in WM Morrison Supermarkets PCL v Various Claimants1. In upholding the decision of the High Court, this case has the potential to strike fear into companies – and their insurers – the length and breadth of the land.
The central issue in the appeal was whether WM Morrison Supermarkets plc (Morrisons), is liable to pay damages to its current and former employees whose personal and confidential information were unlawfully disclosed on the internet by the criminal act of another employee, in breach of the Data Protection Act (DPA), arising from a grudge that employee had against Morrisons.
The case has important implications because Morrisons was generally found not to be at fault itself in relation to its handling of personal data and because the number of data subjects affected makes it likely that the exposure in damages will be con-siderable.
Morrisons employed Andrew Skelton as a senior IT internal auditor. In July 2013 it disciplined Mr. Skelton, which left him with a grudge against Morrisons. Some four months later, Morrisons’ external auditor, KPMG, requested a copy of its payroll data relating to around 100,000 employees. Skelton was the conduit for the provision of this data from Morrisons’ HR department to KPMG. However, in addition to copying it onto a USB stick for the auditor, he also copied it onto a personal USB stick. Two months afterwards, Skelton used the second copy to post the payroll data on a file sharing website. When that failed to attract attention, he anonymously sent a CD containing the data and a link to the file-sharing site to three newspapers.
The newspapers reported the leak to Morrisons which promptly had the file sharing site taken down and informed the police. Skelton was convicted of fraud and offences under the Computer Misuse Act and DPA. He was sentenced to eight years’ imprisonment.
Some 5,500 Morrisons employees claimed damages against Morrisons for misuse of private information, breach of confidence and breach of the DPA. The claim against Morrisons was that it was primarily liable for these causes of action but, if not, it was liable vicariously for Skelton’s conduct.
High Court Judgment
In the High Court, the judge held that Morrisons was not the data controller at the time when various Data Protection Princi-ples were breached by disclosure of the data on the web – Skelton was the data controller at that time. The only Data Protec-tion principle Morrisons might have breached was principle 7, relating to security in relation to its management of Skelton. But the judge found generally that Morrisons had provided appropriate controls in that regard, with one exception that did not contribute to the unlawful disclosure. He noted that the incident for which Mr. Skelton was disciplined did not suggest he was not to be trusted and found that the technological and organizational measures in place could not, at their best, prevent the risk posed by a rogue employee who was trusted. Accordingly, Morrisons was not primarily liable for breach of the DPA. Since Morrisons did not directly misuse, authorise or carelessly permit the misuse of personal information, the claims for pri-mary liability for breach of confidence and misuse of personal information were also dismissed.
That left the alternative claim that Morrisons was vicariously liable for the acts of Mr. Skelton. The judge first rejected Morrisons’ arguments that the DPA by its terms excluded the possibility of vicarious liability and that its effect was to exclude vi-carious liability for misuse of private information or breach of confidence. He then accepted the counter-argument that the DPA was intended to supplement, and not exclude, liability and was complementary with other causes of action.
Applying the principles of vicarious liability as articulated in a large number of previous cases, the Court went on to apply the “broad and evaluative” approach of a 2016 Supreme Court case also involving Morrisons2. It held that there was a sufficient connection between the position in which Mr. Skelton was employed and his wrongful conduct to make it right that Morrisons be held liable: Morrisons had put him into the position of handling and disclosing the payroll data. The judge’s only misgiving was that this result gave effect to Skelton’s intention to harm Morrisons.
Court of Appeal
Morrisons raised the same arguments in the Court of Appeal, but without success. The Court held that if the British Parliament had intended the DPA to eradicate any other cause of action or the vicarious liability of an employer, it would have expressly said so. Although the Court accepted that primary liability for breach of the DPA was fault based whereas the vicarious liability of an employer of a data controller effectively imposed strict liability, this was no more of an anomaly than the position at common law which imposed strict liability on an employer who is guilty of no fault.
The Court then explored the principles of vicarious liability. In the 2016 case involving Morrisons, its petrol pump attendant employee assaulted a customer. In the leading Supreme Court judgment in that case, two questions were considered crucial to whether it was vicariously liable. First, in broad terms, what functions have been entrusted by the employer to the employ-ee? Secondly, was there a sufficient connection between the position in which the employee was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice? Put another way, has the em-ployee used or misused the position entrusted to him in a way that injured the third party, his motive being irrelevant?
Applying this test, the Court agreed with the High Court judge that Morrisons deliberately entrusted Mr. Skelton with the payroll data. It was a task assigned to him and not merely something to which work gave him access. Mr. Skelton’s unlawful disclosure was closely related to what he was tasked to do. Although Skelton’s actual unlawful disclosure of payroll data was from his home computer some weeks after he had unlawfully copied it onto his personal USB at work, this was part of an “un-broken chain” of events stemming from an attempt to avoid suspicion falling on him too readily.
Finally, the Court considered the point which had concerned the High Court. It was a novel legal feature of the case that vi-carious liability was being considered in circumstances where the employee’s motive was to harm Morrisons. Morrisons ar-gued that to impose vicarious liability on it in these circumstances would make the Court an accessory in furthering Skelton’s criminal aims. Further, the number of claimants (some 5,500) and employees who had their information wrongly made public (some 100,000) showed how enormous a burden a finding of vicarious liability would impose on innocent employers.
Neither point impressed. The Court of Appeal found no exception to the principle that the employee’s motive was irrelevant. As to the burden of liability, it observed that such an argument would deprive claimants of any remedy except against Mr. Skelton personally. While cases involving data breaches on a massive scale – whether resulting from corporate system fail-ures, negligence of individuals or dishonest or malicious employees – could lead to large numbers of claims for potentially ruinous amounts, the solution was to insure against such catastrophes. Although the actual insurance position would not af-fect the result of a case, the availability of insurance was a valid answer to the “Doomsday” argument put forward for Morrisons.
While the legal reasoning cannot be faulted, this case is an example of how even organizations that take good care of data and comply with GDPR and other data protection laws, can be exposed to huge liabilities for a data breach. While the amount of damages in this case has not yet been assessed, had all 100,000 affected employees claimed, even a modest award per person would result in a massive claim.
However good their IT security and governance is, organizations would therefore be well advised to consider their insurance program as part of their risk management for data breach and employee liability concerns.
1  EWCA Civ 2339
2 Mohumud v Wm Morrison Supermarkets plc  AC 667