One of the worst nightmares for any employer is when an employee goes “rogue” during the course of carrying out his duties, causing possible embarrassment but also potentially making him legally liable for the consequences of the wrongful act. The cases establish that the employer is only liable if there is a close connection between the wrongful act and an act which the employer authorised the employee to undertake. Two cases involving the supermarket chain, Wm Morrison provide useful and contrasting illustrations of the principle.
In Mohamud v Wm Morrison Supermarkets Plc  UKSC 11, Morrisons employed a petrol pump attendant who got into an altercation with a customer and, during the course of the row, assaulted him. The customer sued the supermarket upon the basis that they were vicariously liable for their employee’s act. They had authorised him to deal with customers of their petrol station and it was during the course of that authorised act that he carried out the wrong: there was a “close connection” between the two. The court held Morrisons to be liable to the customer.
However, the Supreme Court reached a different conclusion in the recently reported case of Wm Morrison Supermarkets (Appellant) v Various Claimants (Respondents)  UKSC 12.
Here, an employee in Morrisons’ accounts department became aggrieved with his treatment by his employers and decided to exact some revenge. The employee’s duties included the processing of data relating to employee earning and its supply to the company’s auditors. Having completed that task, he uploaded the data to a USB stick and then published the data on a file sharing site so that the earnings of nearly 100,000 employees were made public.
Various employees commenced proceedings against Morrisons for its breach of the statutory duty created by section 4(4) of the DPA, misuse of private information and breach of confidence upon the basis that they were vicariously liable for the wrongs of the rogue employee. They succeeded at first instance and on appeal. Morrisons took the case to the Supreme Court and were successful. The Supreme Court considered that the lower courts had drawn the wrong conclusions from the earlier authorities, including Mohamud.
The courts below had misunderstood the principles governing vicarious liability in the following respects:
- The disclosure of the data on the internet did not form part of the employee’s functions or fields of activity-it was not an act he was authorised to do:
- There was a close temporal link and an unbroken chain of causation linking the provision of data to the rogue employee and his abuse of that data but that was not, in itself enough to satisfy the close connection test established by authority.
- The courts had treated the motive of the rogue employee as being irrelevant but, in fact, it was fundamental. In cases in which vicarious liability had been established, including Mohamud, the employee in question had not been acting out of any personal motive but was seeking to protect his employer’s interests, however wrongheadedly.
In conclusion, Morrisons was not liable because of the lack of close connection between the authorised act and the wrongful act although his motive seemed to play a significant part in the decision of the court. An employee who is on a frolic of his own and not simply carrying out his duties in a misguided or reckless manner, is far less likely to cause his employer to be liable.
Employers can do their best to minimise the risks of employees going rogue, such as publishing clear and comprehensive training manuals and having proper security in place, in particular with computer systems but this will not prevent liability being imposed in circumstances in which the employees’ behaviour is closely connected to his duties.