The UK Supreme Court has allowed an appeal by grocery retailer WM Morrisons Supermarkets Plc (Morrisons) against a Court of Appeal decision which held Morrisons vicariously liable for a deliberate data breach committed by a disgruntled ex-employee which exposed the personal data of over 100,000 of its employees.
This case arose when Andrew Skelton, a former senior internal auditor, was tasked with transmitting Morrisons' payroll data to an accountancy firm to assist with an audit. Skelton harbored a grudge against Morrisons for a previous disciplinary matter and used this opportunity to upload and publish the data to a file sharing platform. He also forwarded copies to three newspapers, one of which notified relevant authorities. Skelton received an eight-year jail sentence for his actions while Morrisons faced a substantial class action suit comprising approximately 9,000 affected employees all of whom alleged that Morrisons were directly or vicariously liable for Skelton's conduct.
The UK Supreme Court's decision
The employees succeeded initially before the High Court and the Court of Appeal, both of which held Morrisons vicariously liable for the data breach committed by Skelton. However, the Supreme Court reached a different conclusion ruling unanimously that the "judge and the Court of Appeal misunderstood the principles governing vicarious liability" and held Morrisons not vicariously liable for a deliberate breach which "did not form part of Skelton’s functions or field of activities" nor was it "an act which he was authorised to do".
The Supreme Court's decision centred on Skelton's motive and the fact that he was not furthering his employer’s business when he deliberately committed the wrongdoing. Instead, Skelton was in pursuit of a personal vendetta, seeking vengeance for a previous disciplinary process. This conduct was not closely connected with the "field of activities" which Skelton was authorised to do that, for the purposes of Morrisons’ liability to third parties, it could fairly and properly be regarded as having been done by him while acting in the ordinary course of his employment. On that basis, the Supreme Court held that Skelton's wrongdoings were not sufficient to result in vicarious liability being imposed on his employer. Morrisons could not be held liable for Skelton’s conduct and accordingly the appeal was allowed by the Supreme Court.
The Irish position
In Ireland, an employer may be held vicariously liable under common law for the acts and/or omissions of their employees which occur in the course of the employee's employment. The Irish Courts have adopted a broad approach when determining whether an employer may be vicariously liable for acts of employees and generally focus on:
- what were the field of activities entrusted by the employer to the employee; and
- whether there was sufficient connection between the position in which the employee was employed and their wrongful conduct, such that the employer should be held liable in accordance with social justice.
In addition, employers may also be held vicariously liable for the discriminatory acts committed by their employees under the Employment Equality Acts 1998-2015, regardless of whether or not such acts were committed with or without the employer's consent. However, employers can often avoid liability where they can show that they took all reasonable steps to prevent the discriminatory act.
This decision addresses a concern shared by many employers, that aggrieved or disgruntled employees might go "rogue" in the course of carrying out their duties. It establishes that an employee who is on a frolic of his/her own and not simply conducting his/her duties in a misguided or reckless manner, will be far less likely to result in his/her employer being held vicariously liable for his/her wrongful actions. In short, it endorses the Irish position that an employer will only be liable where there is a close connection between the wrongful act and an act which the employer authorised the employee to undertake.
This case also serves as a useful reminder for Irish employers to ensure their employees are aware of the standard of conduct expected of them and that clear workplace policies and security measures are in place to minimise the risk of employees engaging in an unauthorised manner.
Employers should ensure their workplace policies and security measures are up-to-date, appropriately tailored to their particular business needs and effectively communicated to the workforce particularly where many employees have suddenly become remote on foot of the current nationwide COVID-19 restrictions.