Employment Law Update – August 2020
Wednesday 5th August 2020
EMPLOYER NOT LIABLE FOR EMPLOYEE’S DATA BREACH
In the case of Wm Morrison Supermarkets plc v Various Claimants, the Supreme Court held that Morrisons was not vicariously liable for the unauthorised uploading of payroll data to the internet by an employee using his personal equipment at home on his day off.
S, a senior IT internal auditor, was employed by Morrisons. He held a grudge against his employer for a previous disciplinary warning. When tasked with transmitting payroll data for the entire workforce to external auditors, he also released this data onto a public file-sharing website and anonymously sent it to three newspapers.
A large number of Morrisons employees whose data had been disclosed brought a claim against Morrisons for compensation. They contended that Morrisons had both primary liability for its own acts and omissions, and vicarious liability for S’s actions.
The High Court decided that Morrisons bore no primary responsibility, but the issue of vicarious liability made it all the way to the Supreme Court.
The Supreme Court explained that the question which needed to be asked was whether the conduct was so closely connected with acts that the employee was authorised to do that it may fairly and properly be regarded as done by that employee in the ordinary course of their employment. Whether the employee is acting on the employer’s business or for personal reasons is important.
The Supreme Court found that S’s wrongful disclosure of the data was not so closely connected with the task he was authorised to do that it could fairly and properly be regarded as made by S while acting in the ordinary course of his employment. The fact that his employment had given the opportunity to commit the wrongful act was not sufficient. It was clear that S was pursuing a personal vendetta.
The Supreme Court found Morrisons not to be vicariously liable for the actions of S.
This case should give some comfort to employers in that they are unlikely to be held liable for data breaches caused by employees acting on personal grudges, provided that their actions are not closely connected with the acts they are authorised to do as part of their employment.