Insurance and Vicarious Liability - April 2020

Two recent decisions of the Supreme Court will be welcomed by public sector employers.

Supreme Court rules employer not vicariously liable for mass data breach by rogue employee

In a hugely welcome decision for public bodies and their insurers, the Supreme Court has unanimously ruled that WM Morrison Supermarkets Plc. was not vicariously liable for a 2014 data breach which exposed personal data of almost 100,000 employees. In WM Morrisons Supermarket PLC v Various Claimants [2020] UKSC 12 , the Court overturned the Court of Appeal decision that an employer can be vicariously liable to multiple claimants for a mass data breach committed by a rogue employee (reprimanded after using Morrison post room to sell items on ebay), reversing the first successful class action arising from such a breach.

Background

In 2014, Andrew Skelton, a senior internal IT auditor employed by Morrisons, posted personal details of almost 100,000 Morrisons employees on a file-sharing website in the name of an employee against whom he bore a grudge, and later notified the press of the data breach. The data included sensitive personal payroll data such as National Insurance numbers, dates of birth, addresses, bank account details and salaries.

As soon as Morrisons became aware of the breach it took action within 24 hours to remedy the situation and mitigate financial losses stemming from the data leak. Mr Skelton was convicted under the Data Protection Act 1998 (DPA) and Fraud Act 2006 and sentenced to eight years in prison.

The Claim

In the first action of its kind, 5,518 employees affected by the breach brought a class action against Morrisons alleging:

1. Breach of statutory duty under the DPA;

2. The common law tort of misuse of private information; and/ or

3. Breach of confidence.

The High Court found that Morrisons did not have direct liability under the DPA (or under common law or equity) but were still vicariously liable for the data breach. The Court of Appeal also upheld the High Court’s finding that vicarious liability attached as the acts were “within the field of activities assigned to the employee”. There was an “unbroken thread that linked the employee’s work to the disclosure: what happened was a seamless and continuous sequence of events”.

Decision of the Supreme Court

There were two key questions before the court: (i) was Morrisons directly liable for the breach under the Data Protection Act 1988 or at common law; and (ii) should Morrisons be vicariously liable for the actions of its ex-employee?

In allowing the appeal, the Supreme Court unanimously held that the key test was whether the wrongful conduct was so closely connected with the acts the employee was authorised to do that it may fairly and properly be regarded as being done by the employee while acting in the course of his employment - the “close connection test”. Employers will not be liable for an employee’s wrongful act where that act is not engaged in furthering the employer's business, and is an effort to deliberately harm the employer as part of a vendetta. Consequently no vicarious liability arose in this case.

However, the Supreme Court found Morrisons’ argument that the Data Protection Act 1998 (the relevant statute at the time of the breach) excludes imposition of vicarious liability for either statutory or common law wrongs ‘unpersuasive’.

Implications for Public Bodies

This case represents the first data class action in the UK of its type and will shape the future risk profile of cyber policies. The judgement clarifies and narrows the extent of vicarious liability and distinguishes between wrongful acts performed within employees’ “field of activities” and those which are “frolics” of their own.

The judgement confirms that a mere opportunity to commit a wrongful act will not be sufficient to impose vicarious liability on an employer, even where insurance would otherwise help cover potential liability. In this case ‘although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to KPMG and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test.’

The motive of the wrongdoer will be a key consideration, which means that an employer will not be liable where a staff member commits a wrongful act pursuing personal gratification or a vendetta. So, for example, a local authority could be vicariously liable for a waste staff injuring a bystander when collecting bins as part of weekly collection, but not if the assault takes place as a result of a personal vendetta.

It must be remembered that organisations still have responsibilities as data controller’s to data subjects and should ensure that they have systems and protocols in place to protect them from unauthorised disclosure to third parties. This decision provides guidance on situations it might still be vicariously liable after it has discharged those duties where an employee circumvents those systems and protocols. The judgment has still left a little grey area as regards the position where an employee misguidedly circumvents systems for an innocent purpose in connection with something that he is employed to do.

Barclays Bank Plc v Various Claimants.

The long awaited decision in Barclays Bank’s appeal to the Supreme Court was handed down on 1 April 2020. Barclays Bank was appealing against earlier decisions which held them vicariously liable for the actions of an independent contracted doctor.

Background

Dr Bates, who died in 2009, was a self-employed medical practitioner and was contracted by Barclays to conduct medical assessments between 1968 and 1984 of the bank’s job applicants as part of its recruitment procedure. The examinations were conducted in a consulting room at his home and he was paid a fee for each medical report he produced. He was not offered a retainer by Barclays.

Some 126 current and former Barclay’s employees who had been examined by the doctor claimed damages from the bank, claiming that it should be held vicariously responsible for the abuse he allegedly committed.

The Court of Appeal had previously held that Barclays was vicariously liable for any assaults proved to have been perpetrated.

The Supreme Court however unanimously allowed Barclays’ appeal and held that they were not vicariously liable for Dr Bates alleged wrong doing. The judgement reiterated the two stage test which needs to be satisfied for vicarious liability to be established.

Firstly there must be a relationship between the two parties which ‘makes it proper for the law to make one pay for the fault of the other’, and secondly there must be a connection between that relationship and the wrong doing of the person committing the tort.

In this case, the Supreme Court concluded that the first test was not satisfied as the doctor was not an employee of the bank (or anything close to an employee) and was not under a retainer which obliged him to conduct the assessments, carried on his own business as a medical practitioner and almost definitely had his own medical liability insurance. Although the bank had requested certain questions to be covered as part of the assessment, this was no different to Barclays giving instructions to for example a window cleaner or auditor in their role as an independent contractor.

Implications

The judgement of the court has established some useful lines relating to worker and employee status. The decision is likely to be welcome news for a variety of organisations that engage the services of independent contractors.