In a decision that will come as a relief to many businesses, the UK Supreme Court has unanimously held that companies should not be held vicariously liable for the actions of rogue employees who leak personal data.
The Supreme Court's decision focused on the circumstances in which an employer is vicariously liable for the conduct of employees who stray outside the course of their employment, in the particular context of data breaches caused by rogue employees. The Supreme Court held that employers could not be held vicariously liable in respect of such data breaches. In so doing, the Supreme Court overturned previous decisions by the High Court and the Court of Appeal, which had previously held that an employer could be vicariously liable for the tortious acts of an employee who had unlawfully (and without the permission of the employer) disseminated personal data held by the employer.
The issues before the Court
In summary, the Court was asked to decide:
- first, whether an employer can be vicariously liable for data breaches arising out of misconduct by an employee; and
- second, if the employer could be vicariously liable, whether that liability excluded: (a) statutory torts committed by an employee; and (b) breaches, by an employee, of duties arising in common law or in equity.
Vicarious liability of employers for data breaches caused by rogue employees
In examining the question of whether an employer can be vicariously liable for data breaches arising out of misconduct by an employee acting outside the scope of his or her employment, the Supreme Court held that such vicarious liability could not be imposed. In other words, an employer is not liable where an employee, who is not engaged in furthering the employer's business but is instead acting for his or her own purposes, causes the employer to suffer a data breach.
In so finding, the Court considered the circumstances in which a company would be found vicariously liable for an unlawful disclosure of personal data by an employee. The Court drew on Lord Nicholls's judgment in Dubai Aluminium v Salaam, and determined that the key question was whether the employee's disclosure of the data was "so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment".
In order for an employer to be vicariously liable, there must be a sufficiently close connection between:
(i) the acts the employee was authorised to do; and
(ii) the employee's wrongful conduct;
such that it can properly be said the wrongful conduct was carried out in the ordinary course of the employee's employment.
Applying this test, the Supreme Court held that on the facts of the present case, the employer should not be vicariously liable for a data breach caused by the actions of a rogue employee. Importantly, the mere fact that the employee's employment in the present case gave him the opportunity to commit the data breach was not considered sufficient to justify the imposition of vicarious liability on the employer.
Exclusion of liability under the Data Protection Act 1998
Because the Supreme Court had concluded that the employer did not have vicarious liability in this case, it was not strictly necessary to decide whether the Data Protection Act 1998 (the "DPA 1998") (the law that applied at the time of the data breach, and which has now been replaced) excluded liability for: (a) statutory torts committed by an employee; and (b) breaches, by an employee, of duties arising in common law or in equity. Nevertheless, the Court considered these issues, and held that the DPA 1998 does not exclude the possibility of vicarious liability under either of these limbs.
Impact on businesses
The Supreme Court's decision will come as a welcome relief to many businesses, who will have been concerned about the potential for claims that could have arisen had the Supreme Court followed the decisions of the lower courts in this case, and held that the employer was vicariously liable. Instead, the Supreme Court has delivered a clear, unanimous statement that employers should not have vicarious liability for the actions of rogue employees who commit data breaches.
However, it should also be noted that the facts are crucial to determining liability. The employee in the present case had acted for purely personal reasons, with a specific intention to harm his employer, apparently in revenge for previous disciplinary proceedings. Therefore, although the Supreme Court's decision is a welcome one, it does not mean that employers can never be vicariously liable for data breaches caused by employees – it only means that the employer is not vicariously liable to the extent that an employee strays so far outside his or her duties that his or her actions can no longer be fairly and properly be regarded as done by him or her while acting in the ordinary course of his or her employment.
Khadija El-Leithy (White & Case, Trainee Solicitor, London) contributed to the development of this publication.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP