On October 22, 2018, the UK Court of Appeal upheld the High Court’s decision that VM Morrison Supermarkets PLC (“Morrisons”) was vicariously liable for a data breach caused by a disgruntled former employee, despite Morrisons being cleared of any wrongdoing (VM Morrison Supermarkets PLC v Various Claimants). The case is important, given its potential “floodgate” effect on data breach class action claims in the UK. The Supreme Court has granted Morrisons permission to appeal the judgment on all grounds.

Background

The case is the first UK class action brought in response to a data breach. In 2014, while employed as a Morrisons Senior IT Auditor, Andrew Skelton copied the payroll data of almost 100,000 Morrisons employees onto a personal USB and posted them to a file sharing website. He also anonymously reported the breach to three newspapers. Ultimately, Skelton was jailed for eight years for various offenses, including under the Fraud Act 2006 and the Data Protection Act 1998 (the “DPA”).

Following the breach, 5,518 affected employees brought a class action against Morrisons alleging both primary (direct) and vicarious liability for: (1) breach of the 1st, 2nd, 3rd, 5th and 7th principles of the DPA (relating to fair and lawful processing, purpose limitation, minimization, retention and security); (2) the tort of misuse of private information; and (3) breach of confidence.

High Court Decision

In December 2017, the High Court rejected all claims of primary liability against Morrisons under the DPA, with one exception irrelevant to the data breach. The Court concluded that Skelton acted independently from Morrisons in deciding to use the payroll data and, as such, he became the data controller in respect of the relevant processing. Therefore, it was Skelton, as a third-party data controller, who breached the DPA, not Morrisons.

With respect to vicarious liability, however, the High Court ruled that Morrisons was vicariously liable for Skelton’s actions in disclosing the payroll data – despite the DPA not expressly providing for vicarious liability. The Court also rejected Morrisons’ argument that Skelton was not acting in the course of his employment when he stole and disclosed the payroll data, pointing to what it considered persuasive factual findings:

  • There was an unbroken thread linking Skelton’s work to the disclosure, including that when Skelton received the data, though covertly intending to copy it for misuse, he was acting as an employee.
  • Morrisons deliberately entrusted Skelton with the payroll data, and took the risk it might be wrong in placing such trust in him.
  • Skelton’s authorized work was to receive, store, and disclose to a third party the payroll data. His unauthorized disclosure was closely related to what he was tasked to do.

Morrisons appealed the decision to the Court of Appeal.

Court of Appeal Decision

On appeal, Morrisons argued that the DPA is a comprehensive code that necessarily excludes other causes of action and remedies in this context, including vicarious liability and common law causes of action. Morrisons also argued the lower court erred in concluding that the rogue employee’s wrongful act occurred during the course of his employment. In October 2018, the Court of Appeal unanimously dismissed Morrisons’ appeal.

Future Supreme Court Appeal

On appeal, the Supreme Court will consider, among other questions, (1) whether vicarious liability is available under the DPA in this context and (2) if the Court of Appeal’s conclusion that Skelton was acting in the course of his employment when he leaked the data was incorrect.

It is not yet clear when the appeal will be heard.