Court of Appeal hands down significant judgment in WM Morrison Supermarkets Plc ("Morrisons") v Various Claimants [2018] EWCA Civ 2339
Overview
On 22 October 2018, the Court of Appeal handed down a significant judgment in WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339.
The decision is likely to have far reaching consequences for employers as the Court of Appeal upheld Langstaff J's controversial finding at first instance that Morrisons was vicariously liable for the criminal actions of its former employee, Andrew Skelton, notwithstanding that it was held to have taken appropriate steps to mitigate the risk of such criminal actions occurring, and that these actions were undertaken with the express intention of causing damage to Morrisons.
Background
The Claimants' (5,518 Morrisons' employees) claims arise from Mr Skelton's unauthorised uploading of personal data (including names, addresses, dates of birth, home and mobile phone numbers, national insurance numbers, and details of bank accounts and salaries) relating to nearly 100,000 Morrisons' employees (the "Data") to a file-sharing website in 2014 (the "Breach").
Mr Skelton, who, at the time of the Breach, was a senior internal IT auditor at Morrisons, had become disgruntled by virtue of an internal disciplinary relating to his operating a side-business using Morrisons' post room.
Thereafter, Mr Skelton, who had the right to access the Data as a result of his role, copied the Data, uploaded it to a file sharing website (in a manner which was intended to frame another Morrisons' employee), and provided copies of the Data to three UK newspapers.
Upon receiving the Data, one of the newspapers brought the Breach to Morrisons' attention, and immediate steps were taken by Morrisons to remedy the Breach.
Shortly thereafter, Mr Skelton was arrested and charged with fraud, and offences pursuant to the Computer Misuse Act 1990 and the Data Protection Act 1998 (the "Act"). He was ultimately convicted of these offences in 2015 and sentenced to eight years imprisonment.
The Claimants' claims
Having obtained a Group Litigation Order in November 2015, the Claimants issued proceedings against Morrisons, and thereafter, the Court determined that there should be a split trial on liability and quantum.
The Claimants' claimed that, in failing to prevent the Breach, Morrisons was primarily liable for breaches of the Act, misuse of private information, and / or breaches of confidence (the "Primary Claims"), or, alternatively, vicariously liable for Mr Skelton's misuse of private information and / or breaches of confidence (the "VL Claims").
These claims were determined at a trial on liability before Langstaff J in October 20171.
Whilst Langstaff J dismissed the Primary Claims (as Morrisons had not, itself, misused, or authorised the misuse of, the Data2, and had in place appropriate measures to ensure that the Data was not misused by its employees3, and was therefore not in breach of the Act), he held that Morrisons was vicariously liable for the Breach, and, accordingly, upheld the VL Claims.
However, Langstaff J granted Morrisons leave to appeal his decision as, he remained troubled by Morissons' submission that he ought not to have reached this conclusion as: "the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible.4"
The Court of Appeal's decision
Morrisons' appealed three of Langstaff J's findings, namely that:
- the Act did not exclude the application of vicarious liability ("Issue 1");
- where a claim under the Act arises, it does not exclude concurrent claims for misuse of private information and breach of confidence and / or the imposition of vicarious liability for breaches of the same ("Issue 2"); and
- the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, Morrisons was vicariously liable for those wrongful acts ("Issue 3").
The Court of Appeal upheld each of Langstaff J's findings on Issues 1-3.
With regard to Issues 1 and 2, the Court of Appeal held that:
“The vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by the DPA5” and “the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.6”
With regard to Issue 3, the Court of Appeal approved Langstaff J's analysis, finding that, notwithstanding that Mr Skelton had committed the Breach: (1) from a personal computer; (2) at home; and (3) outside of working hours; there was a “seamless and continuous sequence” or “unbroken chain” of events linking back to his employment.
In doing so it:
- cited with approval the recent judgment of Asplin LJ in Bellman v Northampton Recruitment Ltd 2018 EWCA Civ 22147, in which it was held that in assessing whether an employer should be held vicariously liable for the acts of an employee the Court must assess whether the relevant acts fall “within the field of activities assigned to the employee” and, insofar as this is the case, whether there is a "sufficient connection" between the position in which the employee was employed and the relevant act for liability to attract to the employer. The Court of Appeal held that in this case: "the tortious acts of Mr Skelton in sending the claimants’ data to third parties were in our view within the field of activities assigned to him by Morrisons.8"; and
- held that an employer could be vicariously liable even where the intention of the employee committing the relevant act: "was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party9", the employee's motive in committing the relevant act is irrelevant: "we do not accept that there is an exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer.10"
Practical points of note from the Court of Appeal's decision
The Court of Appeal's judgment will be of great concern to employers who might have hoped that Langstaff J's findings would be overturned on appeal; it leaves employers significantly exposed to potential claims arising from the misuse of personal data of which they are data controllers by rogue employees (even in circumstances where the stated aim of those employees is to deliberately harm their employer and the employer has not breached data protection legislation themselves).
Therefore, in order to manage the potential exposure which employers may face arising from the unauthorised disclosure of personal data of which they are data controllers, employers ought to consider taking steps to ensure both that they:
- implement "appropriate organisational and technical measures" to ensure that personal data in their possession is appropriately secured, and carefully monitor the implementation of those measures, and update them in a timely manner in line with relevant guidance and technical developments; and
- ensure that they have appropriate insurance coverage. As the Court of Appeal noted: "[t]here have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.11"
The Court of Appeal's judgment demonstrates that having "appropriate organisational and technical measures" in place may not be sufficient to ensure that an employer avoids liability (hence the need for both of these steps to be taken). However, importantly, having such measures in place will limit the employer's potential exposure to sanctions by the ICO, which, since the GDPR came into force, can run to the greater of €20m or 4% of annual worldwide turnover, and in respect of which insurance coverage may not be available.
Appeal to the Supreme Court
Morrisons was refused leave to appeal by the Court of Appeal but it is understood that it intends to seek leave to appeal from the Supreme Court.
Assuming that the Supreme Court upholds the Court of Appeal's findings, the claim will be remitted to Langstaff J who will then determine Morrisons' liability in damages. If this occurs, although the Claimants' no longer have a claim against Morrisons for damages pursuant to S13 of the Act12 (the recoverability of which was recently considered by Warby J in Richard Lloyd and ors v Google [2018] EWHC 2599 (QB)), in determining the damages recoverable in respect of the Claimants' claims for misuse of private information and damages for breach of confidence, the Court may provide guidance regarding the damages13 recoverable in similar circumstances (e.g. for breaches of the GDPR). This would be of considerable assistance given that the law in this area remains uncertain.
Links to the judgments referred to above can be found below:
- WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339
- Various Claimants v WM Morrisons Supermarkets plc [2017] EWHC 3113 (QB)
- Bellman v Northampton Recruitment Ltd 2018 EWCA Civ 2214
- Richard Lloyd and ors v Google [2018] EWHC 2599 (QB)
1 Various Claimants v WM Morrisons Supermarkets plc [2017] EWHC 3113 (QB)
2 The data controller of the Data which was misused pursuant to the Breach was held to be Mr Skelton.
3 Langstaff J identified one deficiency in this respect; Morrisons' policies relating to deletion of data held outside the usual secure repository used for it, but considered that this deficiency was not sufficient to give rise to primary liability on Morrisons' part. This analysis echoed the Information Commissioner's Office's (the "ICO") decision not to pursue enforcement action against Morrisons.
4 Paragraph 198 of Langstaff J's judgment.
5 Paragraph 48 of the Court of Appeal's judgment.
6 Paragraph 60 of the Court of Appeal's judgment.
7 A decision which the Court of Appeal summarised at paragraph 71 of its judgment as follows:
"Mr Bellman was a sales manager for the Respondent recruitment firm. Mr Major was the firm’s managing director. A Christmas party was organised. At its end, Mr Major arranged taxis to transport staff to a hotel where they continued drinking, with drinks mainly paid for by the company. After a couple of hours, an argument broke out about a new employee’s placement and terms. Mr Major got cross and summoned staff to give them a long lecture on his authority. When Mr Bellman questioned Mr Major's decisions, he (Major) punched him (Bellman), causing brain damage. It was held by this Court, reversing the trial judge, that the defendant company was vicariously liable for the assault by the managing director."
8 Paragraph 72 of the Court of Appeal's judgment.
9 Paragraph 75 of the Court of Appeal's judgment.
10 Paragraph 76 of the Court of Appeal's judgment.
11 Paragraph 78 of the Court of Appeal's judgment.
12 Their claim against Morrisons for breach of the Act having been dismissed by Langstaff J.
13 None of the Claimants suffered direct financial losses (see paragraph 77 of the Court of Appeal's judgment) arising from the Breach. However, they allege that the Breach left them exposed to the risk of identity theft and potential financial loss.