Good news for employers, or is it? – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)

Quick read and listen

1. The UK Supreme Court [April 1^st 2020] overruled the Court of Appeal in holding that that Morrisons supermarkets are not vicariously liable for a data breach maliciously caused by a former employee.
2. The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.
3. Listen to the reasons for the decision - https://www.youtube.com/watch?v=V2Qee_v_1No

Read an analysis here

1. The critical issue before the Supreme Court was
   1. whether the “close connection” test developed in previous case law was satisfied, and
   2. therefore whether vicarious liability could be imposed on Morrisons.
2. The Supreme Court found that this was not the case, for the following reasons:
   1. Field of activities of the employee?
      1. The employee’s actions in causing the data breach were not within the “field of activities” of the employee.
      2. This meant that his actions were not so closely connected with that task that they can fairly and properly be regarded as made by him while acting in the ordinary course of his employment;
   2. A temporal and/or causal link is not enough.
      1. The fact that his employment gave the employee the opportunity to commit the data breach is not sufficient to warrant the imposition of vicarious liability; and
   3. An employee’s motive is relevant.
      1. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta (as was the case here – the employee’s motivation in committing the data breach was to harm his employer, not to further its business).
      2. The employee’s motive is, therefore, relevant in that analysis.
   4. The decision
      1. This decision sets aside a significant liability risk which had arisen following the previous decisions in the case.
      2. In addition, the Court of Appeal’s comment that companies should simply obtain insurance to cover this liability risk will no longer be troubling for the insurance market.
      3. The Supreme Court’s decision largely puts an end to a paradoxical situation that had arisen – specifically that in making findings of vicarious liability against employers in circumstances where an employee was looking to harm their employer by causing a data breach, the courts could in some circumstances be furthering the malicious aims of that employee.
   5. Vicarious liability The Supreme Court was not persuaded by Morrisons’ arguments
      1. It is important to note that the judgment does not set aside the possibility of employers being found vicariously liable in the data breach context per se.
      2. The Supreme Court was not persuaded by Morrisons’ arguments that the Data Protection Act 1998 (and by implication, its successor legislation in the form of the Data Protection Act 2018 and the EU General Data Protection Regulation) exclude vicarious liability for statutory and common law wrongs in the data breach context.
      3. What this means is that if an employee did satisfy the “close connection” test (see above) when they caused a data breach, vicarious liability on the part of the employer remains a possibility.

Souced from –

https://www.telegraph.co.uk/technology/2020/04/01/morrisons-not-liable-actions-rogue-employee-supreme-court-finds/

https://www.dataprotectionreport.com/2020/04/good-news-for-employers-finally-the-uk-supreme-court-hands-down-judgment-in-wm-morrison-supermarkets-plc-appellant-v-various-claimants-respondents/

https://www.supremecourt.uk/cases/docs/uksc-2018-0213-judgment.pdf