Wm Morrison Supermarkets plc

Data Breach Claims – Wm Morrison Supermarkets plc

In Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court has overturned judgments of the High Court and Court of Appeal and decided that a supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by an employee.

Wm Morrison Supermarkets plc v Various Claimants - the facts

In 2013, Mr Skelton, who was then employed by Wm Morrison Supermarkets plc (Morrisons) as an internal IT auditor, was provided with a verbal warning for minor misconduct. Subsequently, he developed an irrational grudge against his employer. After being asked by Morrisons to provide payroll data for the entire workforce to external auditors, Mr Skelton copied the data onto a USB stick. He took the USB stick home and posted the data on the internet, using another employee's details in an attempt to conceal his actions. He also sent this data to three national newspapers, purporting to be a concerned member of the public.

The newspapers did not publish the data, but one newspaper alerted Morrisons, who immediately took steps to remove the data from the internet, contact the police and begin an internal investigation. Morrisons spent £2.26 million dealing with the aftermath of the disclosure, a large proportion of which was spent on security measures for its employees. Mr Skelton was arrested and ultimately convicted of criminal offences under the Computer Misuse Act 1990 and section 55 of the DPA 1998, which was in force at the time.

The claimants in this case were 9,263 of Morrisons' employees or former employees. They claimed damages from Morrisons in the High Court for misuse of private information and breach of confidence, and for breach of its statutory duty under section 4(4) of the DPA 1998. The claimants alleged that Morrisons was either primarily liable under those heads of claim or vicariously liable for Mr Skelton's wrongful conduct.

Data Protection Act 1998

This case was decided under the Data Protection Act 1998 (DPA 1998) which was applicable at the time. The DPA 1998 implemented the Data Protection Directive (95/46/EEC) and imposed broad obligations on those who collect personal data (data controllers), as well as conferring broad rights on individuals about whom data is collected (data subjects). Section 4(4) of the DPA 1998 provided that a data controller must comply with eight data protection principles in relation to all personal data with respect to which they are a controller.

Under section 13(1), any breach of the DPA 1998 which caused damage entitled the victim to compensation for that damage. Section 13(2) provided as follows:

"An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if the individual also suffers damage by reason of the contravention."

Under section 13(3), it was a defence to any proceedings under section 13 for a person, or in this case Morrisons, to prove that they had taken such care as was reasonably required in all the circumstances to comply with the relevant requirement.

Vicarious liability

It was also crucial to consider whether Morrisons could be vicariously liable for their employee’s action in this instance. Employers will be liable for torts committed by an employee under the doctrine of vicarious liability where there is a sufficient connection between the employment and the wrongdoing. There is a two-stage test:

  • Is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?
  • Is the connection between the employment and the wrongful act or omission so close that it would be just and reasonable to impose liability?

In Lister v Hesley Hall Ltd [2001] UKHL 22, the House of Lords characterised the second stage as a "sufficient connection" test. The question was whether the torts were "so closely connected with [the] employment that it would be fair and just to hold the employers vicariously liable".

In Mohamud v Wm Morrison Supermarkets plc [2016] UKSC 11 (Mohamud), the Supreme Court held that the supermarket was vicariously liable for an employee's unprovoked violent assault on a customer. It found that there was a sufficiently close connection between the assault and the employee's job of attending to customers, such that the employer should be held vicariously liable

Wm Morrison Supermarkets plc - Decision

Morrisons was not vicariously liable for Mr Skelton's actions. It found that the Court of Appeal had misunderstood the principles governing vicarious liability in the following respects:

  • The disclosure of the data on the internet did not form part of Mr Skelton's functions or field of activities. This was not an act which he was authorised to do.
  • Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Mr Skelton for the purpose of transmitting it to the auditors and his disclosing it on the internet, a temporal or causal connection did not in itself satisfy the close connection test.
  • The reason why Mr Skelton acted wrongfully was not irrelevant. Whether he was acting on his employer's business or for purely personal reasons was highly material.

The mere fact that Mr Skelton's employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. It was clear that Mr Skelton was not engaged in furthering his employer's business when he committed the wrongdoing. On the contrary, he was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Comment

This decision will provide welcome confirmation for employers that they will not always be liable for data breaches committed by rogue employees. It similarly provides helpful clarification for practitioners on the way in which the judgment in Mohamud should be applied in future cases concerning vicarious liability.

The facts in this case were extreme. It seems that Morrisons were wholly unaware of the grudge held by Mr Skelton. Mr Skelton also took extraordinary actions to cover up what he had done and even to frame another employee.

Unanswered questions

Had Morrisons been found vicariously liable for Mr Skelton’s actions, the employees who made the claims would have had to prove that they suffered ‘distress, anxiety, upset and damage’ by the mishandling of their personal information. A supreme court ruling on the issue would have provided a helpful benchmark to those wanting to understand more about how our courts quantify compensation for data breaches.

Moving forward

Employers should take away from the judgment that although this case was decided under the previous data protection regime, the DPA 1998 and the GDPR are based on broadly similar principles. Therefore the GDPR and Data Protection Act 2018 (DPA 2018) will not be a barrier to vicarious liability actions in data privacy proceedings commenced under the current regime.

Additionally, the GDPR makes compliance far more onerous for controllers and risks exposure to the huge revenue-based fines and data subject compensation claims for breaches of the GDPR and DPA 2018. This includes failing to safeguard data to statutory standards and neglect to have governance in place to curb the malicious acts of rogue employees.

The success of Morrisons in bringing to an end the threat under this case of being subject to a group action for compensation follows Google LLC being granted freedom to appeal against the Court of Appeal's order in Lloyd v Google LLC [2019] EWCA Civ 1599 and is another significant development in the progress of representative class actions in the UK legal system.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


Commercial law firm London EM Law

Terminating a Contract - Tread Carefully

Terminating a contract may be the way forward especially when the other party has blatantly failed to meet its obligations. But don’t fall into the trap of thinking that terminating a contract is straightforward. Giving the correct notice and reasons for terminating a contract is a process to be carefully navigated if the adversely affected party wants to claim all possible compensation.

Examples of improper approaches to terminating a contract can be dramatic. In the case of Phones 4u Ltd v EE Ltd [2018], EE denied themselves a £200 million claim because of a badly drafted termination notice. Given the potential consequences it is generally assumed that an aggrieved party will take legal advice before going ahead with termination.

Most importantly you must act. Even a repudiation, meaning the most serious breach of contract, does not automatically end a contract. Termination rights can also be lost by delay. By the time an aggrieved party decides to assert itself it may be too late.

Things to be most wary of when terminating a contract

Terminating a contract without the right to do so

  • By terminating a contract you are refusing to perform any duties which may arise after termination.
  • If not justified by a contractual or common law right this refusal to perform is usually itself a repudiation.
  • The other party could accept the repudiation, terminate the contract and sue for damages.

Giving the wrong grounds for termination

This is what happened in the Phones 4u In that instance EE terminated its contract with Phones 4u on the basis of its rights to terminate for the other party’s insolvency. EE did not explicitly state in its termination notice that Phones 4u were in breach of contract. Even though EE had reserved its rights in the termination notice the judge nevertheless ruled that EE’s £200 million claim against Phones 4u for breach of contract could not now be pursued.

Not following the contractual termination procedure

  • The basic rule is that a party serving a notice to exercise a right must comply strictly with the contract.
  • Failing to comply may render a termination invalid even if the requirement is meaningless or pointless.
  • In the case Zayo Group Internaitonal Ltd v Ainger and other [2017] the court ruled that a requirement to leave the termination notice at a party’s old address was still valid. Because the notice wasn’t left at the old address on time the claim failed.
  • Serving an ineffective notice of termination could amount to a repudiatory breach as it communicates an intention to stop performing and may be accompanied by such action.

You can't take it back

It is also important to note that you cannot take back a termination notice:

  • Serving a termination notice communicates a party’s decision to exercise its termination right, which is not compatible with keeping the contract alive.
  • In two employment cases, the employee who gave a clear unequivocal notice to resign was then unable to withdraw that notice after an hour in the case of Riordan v War Office [1959] and a day in Southern v Frank Charlesly & Co [1981].

Terminating a Contract - Common Law Rights

Aside from express or implied termination clauses it is also important to consider common law rights when contemplating grounds for termination. The common law gives every contracting party the right to terminate on repudiation. A repudiation comes in different forms:

  • Breach of a condition.
  • Repudiatory breach of an intermediate term (or innominate term).
  • Renunciation, defined as, a party’s outright refusal to perform all or substantially all its obligations under a contract.
  • Impossibility, if a party makes it impossible to perform the contract.

Understanding repudiatory breaches of intermediate terms is key when assessing your possible right to terminate a contract. Generally speaking, a breach of an intermediate term is repudiatory if it deprives the aggrieved party of substantially all the benefit of the contract. This deprivation must also coincide with the time that the aggrieved party chose to terminate.

Final word

Terminating a contract must be done carefully if the aggrieved party wants to retrieve as much compensation as possible. As we say above the consequences of not doing so can be severe. Please get in touch with Neil Williamson or Joanna McKenzie if you need any help.

 


EM Law force majeure

Force Majeure – Not Easy To Rely On

In a recent case (Seadrill Ghana Operations Ltd v Tullow Ghana Ltd [2018] EWHC 1640 (Comm)) the High Court ruled that although a force majeure event had arisen, that event was not the sole reason for Tullow’s failure to perform. As such Tullow could not rely on the force majeure clause to avoid liability for its failure to perform.

Background

Tullow had interests in two offshore petroleum licences off the coast of Ghana granted by the Government of Ghana. Tullow hired a large and expensive drilling rig from Seadrill to extract the oil – operating costs for the rig were USD 600,000 per day.

The contract between Tullow and Seadrill contained a force majeure clause that specifically included a “drilling moratorium imposed by the government” as an example of a force majeure event.

After the contract had been entered into, the Government of Ghana and the Government of Cote d’Ivoire entered into arbitration to resolve an offshore boundary dispute. This led to the arbitration tribunal making a Provisional Measures Order ("PMO") pursuant to which the tribunal ordered that "Ghana shall take all necessary steps to ensure that no new drilling either by Ghana or under its control takes place in the disputed area. As a result of this order, the Government of Ghana imposed a moratorium on drilling in one of the concessions. Tullow was also prevented from drilling in its other concession because the Government of Ghana refused to approve its project plan for that area.

Tullow terminated its contract with Seadrill relying on the force majeure clause.

Seadrill claimed that Tullow terminated the contract for convenience deciding that the contract had become too expensive. Due to the collapse in oil prices by the time that Tullow terminated the contract similar rigs were being hired out for around USD 200,000 per day.

Decision

The High Court found that the drilling moratorium was a force majeure event while the Government of Ghana’s failure to approve the project plan for the other concession was not. Citing the Court of Appeal's decision in Intertradex v Lesieur [1978] 2 Lloyd's Reports 509, which establishes the proposition that a force majeure event must be the sole cause of the failure to perform an obligation, Teare J concluded that there was no sole cause here.

Tullow was ordered to make payment to Seadrill of approximately USD 254 million.

Conclusions

As a clause often found at the back of a contract, it is easy to forget how important the force majeure clause can be. Careful consideration needs to be given as to how it is drafted. If a party wants to be able to vary or terminate a contract if adverse economic conditions arise then specific provisions should be built in to address this – a standard force majeure clause would probably not be sufficient.

Terminating a contract on grounds of force majeure is not straightforward. The relevant force majeure event must actually cause the failure to perform and must be the sole cause.

Remember that emails you send can end up in court. In this case the court was presented with an email from a director of Tullow who had written to a colleague asking whether "with a bit of manipulation" it was possible to use the PMO "to call FM” (force majeure) on either the West Leo or Drillmax." (West Leo was the name of Seadrill’s rig.) That email certainly can’t have helped Tullow’s cause.

If you have any questions around force majeure or you need support with drafting force majeure clauses contact Neil Williamson.


EM Law Fluor v Shanghai Zhenhua Photo By Matt Artz

Fluor v Shanghai Zhenhua Heavy Industries Ltd [2018] EWHC 1 – a reminder of the importance of getting Settlement Agreements right

Fluor v Shanghai Zhenhua Heavy Industries Ltd [2018] EWHC 1 is a recent case heard in the High Court to determine the damages that a supplier (Shanghai Zhenhua Heavy Industries Ltd (SZHI) should be liable to a contractor (Fluor) for. The case is a reminder of the importance of getting a settlement agreement right.

Background

Fluor contracted with Greater Gabbard Offshore Winds Ltd (GGOW) to build the foundations and infrastructure for a 140 turbine wind farm in the North Sea off the Suffolk coast.

SZHI contracted with Fluor to make the turbine foundations.

When the integrity of the first few batches of SZHI’s steel piles was tested by Fluor, the tests revealed extensive cracking in the welding on the piles. Fluor issued certificates of non conformance in respect of the steel piles and transition pieces delivered with them following which an extensive progamme of testing and repair began. Litigation ensued which resulted (in 2016) in SZHI being found liable for breach of contract with Fluor.

On 11 January 2018 Sir Antony Edwards-Stuart (sitting as a High Court Judge) gave judgment on the amount of damages that SZHI should pay Fluor.

The Judgment

The judgment is complex. One of the issues that was considered was the correct approach to delay analysis with the court concluding that some form of retrospective analysis was required in this instance.

The main point that we want to flag up from this case is the judge’s comments on and approach to the settlement agreement that Fluor entered into with GGOW (as prime contractor, Fluor was responsible to GGOW for the faults in the foundations supplied by SZHI). The judge had to consider the extent to which the settlement agreement limited the damages that Fluor could recover from SZHI.

Paragraphs 465 and 466 of the judgment are set out below:

“465.   It is settled law that, in principle, C can recover from a contract breaker, B, sums that it has paid to A in settlement of a claim made by A against C in respect of loss cause by B’s breach of its contract with C.

466.   However, C’s settlement with A must be an objectively reasonable settlement and, if it is, that sum represents the measure of C’s damages in respect of B’s breach of contract (assuming there were no other heads of loss). Even if C can show that its settlement with A was at an undervalue, the settlement sum still represents a ceiling on the amount that it can recover from B.”

So, to put it another way, if your customer sues you for losses caused by your subcontractor then the amount that you agree to pay your customer under the settlement agreement that you make with him is the amount that the subcontractor must pay you provided that the settlement agreement is objectively reasonable.

If the settlement agreement is not objectively reasonable (perhaps because you agreed to pay your customer more than you should have done) then you may not be able to recover that amount from your subcontractor.

As ever, care and attention is needed when dealing with claims and settlement of claims.

In Fluor v Shanghai Zhenhua Heavy Industries Ltd the judge concluded that the settlement agreement between Fluor and GGOW was objectively reasonable.

For any questions you have concerning this case or if you are facing a breach of contract dispute please contact us.