Employers Are Not Liable for Rogue Employee Data Breaches

April 01, 2020

The UK Supreme Court has confirmed that employers are not liable for the actions of their rogue employees. It overturned the Court of Appeal (CoA) decision in Morrisons that employers can be vicariously liable for an employee’s misuse of personal data that was previously under the employer’s control.

The case is the first use of a group litigation order for data breach claims. The case was referred for a hearing to determine the compensation payable to the affected employees (who had not suffered any financial loss). Under the EU General Data Protection Regulation (the GDPR) and UK Data Protection Act 2018 (the DPA 2018), individuals can claim compensation for data protection breaches without the need to prove they have suffered any financial loss.

The Supreme Court heard the appeal on 6 and 7 November 2019 against the landmark ruling in WM Morrison Supermarkets plc v Various Claimants (2017)[1] (previously upheld by the Court of Appeal), in which an employer was held vicariously liable for a data breach caused by the actions of a rogue employee, even though the employer had in place appropriate data protection security measures to protect the personal data it controlled.

In this original case, more than 5,000 employees successfully brought a claim against their employer, Morrisons, for its breach of the UK’s old Data Protection Act 1998 (the DPA 1998), as well as damages for the tort of misuse of private information, after another disgruntled Morrisons employee, Mr. Andrew Skelton, disclosed copies of a payroll spreadsheet, including salary and other personal information relating to his 100,000 staff members, to certain newspapers. The employees claimed that their employer was liable for the actions of Mr. Skelton under the principle of vicarious liability.

Mr. Skelton, who is currently serving an eight-year prison sentence for his actions, had downloaded the data from his work computer onto a USB stick before using his personal computer to publish the information. Prior to doing so, Mr. Skelton had carried out internet searches for guidance on how to conceal his identity using software known as The Onion Router on the dark web.

In hearing the appeal, the Supreme Court considered three main issues:

  • Whether the doctrine of vicarious liability is excluded in cases involving data protection legislation (such that only Mr. Skelton, as the primary wrongdoer, can be held responsible for the breach of the legislation);
  • If the doctrine is excluded in such cases, whether it is equally excluded for related common law or equitable causes of action; and
  • If the doctrine is not excluded in such cases, whether the lower courts erred in concluding that Morrisons was vicariously liable in the circumstances of the case where Mr. Skelton committed wrongful acts while an employee of Morrisons, but where those acts were not within his employment duties.

Since the High Court’s decision, the UK has repealed and replaced the DPA 1998 with the GDPR and the DPA 2018. The data security obligations under the DPA 1998 remain substantively the same under the GDPR and the DPA 2018 and the principle of vicarious liability is also unaffected by the changes in the data privacy laws. Therefore, the Supreme Court’s decision is still relevant to data controllers and employers.

Data Controllers Are Not Liable for Rogue Employees

The Supreme Court decided that employers are vicariously liable for the actions of their employees where there is “an unbroken sequence of events” or a “seamless episode” relating to the capacity in which an employee was acting when the wrongful conduct took place. It decided that Mr. Skelton’s disclosure of the payroll data on the internet and subsequently to news outlets was not within his “field of activities”. He was, instead, on a “frolic of his own” and his activities exceed the limits for which his employer was liable.

How Should Employers Mitigate Risks?

Employers are still at risk of significant damage from rogue employees. This case, although helpful for employers to clarify the limits of their liability for employees, does reiterate the need to implement policies and procedures to reduce risks that employees can commit damage misusing its data, whether personal data or commercial data. Employers should consider implementing strategies to supplement their existing data protection procedures, including

  • maintaining clear and accessible speaking-up policies, with a view to fostering an open and transparent culture in which employees feel comfortable raising concerns about their colleagues’ actions;
  • emphasising in staff data privacy training that the misuse of personal data could lead to personal criminal liability;
  • considering monitoring poor performing or struggling employees’ use of IT systems and devices to a greater extent;
  • implementing technological controls over the use of USB sticks in the workplace, downloading of large data files, and monitoring high risk internet searches (such as The Onion Router); and
  • inserting language to employment contracts that expressly states that neither the employer nor any other companies in its group shall be vicariously liable for data breaches where the employee acts in breach of the employer’s policies and procedures and/or legal requirements.

Class/Collective Actions – A New Trend?

The Morrisons case is the first instance of a group litigation order being used in a data breach case. This has been followed by the group litigation against British Airways, following the 2018 data breach, and most recently in the litigation against Google by Richard Lloyd (which has been brought as a representative (a form of “opt-out litigation” common in the US action). 

In the Lloyd case, the claimant, Mr. Lloyd, was successful in his application to bring a representative case against a US entity. We expect the proposed Directive on Representative Actions to be finalised by the European Commission next year. This could further increase the use of class/collective actions for data breaches across Europe.

Increases in the use of class/collective actions in the context of data breaches would follow an increase in such actions in other areas of dispute. For example, the use of class/collective actions is already commonplace in competition law, personal injury, and pensions disputes. Further, with the development of securities litigation in the United Kingdom (see, for example, the ongoing Tesco dispute), together with the ever-increasing prevalence of litigation funding, it would seem likely that class/collective actions will become a growing part of the legal landscape in the United Kingdom.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Omar Shah
Paul Mesquitta