It is widely understood that regulatory breaches can have criminal consequences. But how can civil consequences of regulatory breaches arise with no direct fault on the part of the employer?
Recent case law has brought vicarious liability into the spotlight with high profile cases such as the Morrisons data breach. Our insight explores various cases and the reasons why vicarious liability may or may not arise.
It is worth briefly considering the different types of criminal regulatory breach before we consider how these apply to civil breaches.
Some breaches are strict liability offences, meaning that the act itself is sufficient for an offence to be committed and that no defence is available – not having a health and safety risk assessment and drink driving are examples of this type of offence.
Others are subject to qualifications which, if proven, mean the offence is not committed. An example of this type of offence is the reverse burden of "so far as reasonably practicable" which applies to certain health and safety offences, meaning that a defendant who proves it did everything reasonably practicable to ensure safety has not committee an offence..
Finally there are defences and excuses which apply to certain offences and render the potentially unlawful conduct lawful, examples of this are the well-known defences of self-defence and insanity respectively.
When a regulatory breach occurs a dutyholder can generally be directly liable to compensate third parties on a number of potential grounds. These include actions for breach of statute, actions in tort (for example for negligence), or for a breach of common law (i.e. where a common law offence has been committed).
Generally where a dutyholder, such as an employer, has followed best practice principles it will not have committed an offence (unless the offence is strict liability) or acted negligently.
However civil liability can arise under the principle of vicarious liability, which means that an employer can be liable for the acts or omissions of its employees, even where no breach by the employer has occurred. This can be the case even where that employee committed a deliberate criminal action in which the employer played no part and contrary to the employer's direct instructions.
The scope of this vicarious liability has expanded hugely in the recent past so we set out below a brief overview of the facts and key principles of some important recent cases which significantly expand the ambit of this principle:-
This case concerned sexual abuse carried out by the members of an unincorporated association, the questions was whether they were employees? The answer was no, however the Court deemed that:-
Vicarious liability is imposed where a defendant, whose relationship with the abuser put it in a position to use the abuser to carry on its business or to further its own interests, has done so in a manner which has created or significantly enhanced the risk that the victim or victims would suffer the relevant abuse. The essential closeness of connection between the relationship between the defendant and the tortfeasor and the acts of abuse thus involves a strong causative link.
In short, actual employment is not necessary to impose vicarious liability on a business where there is a strong causative link between its activities and the actions of the offending individual.
The case also reaffirms that deliberate criminal actions by employees can give rise to liability on the part of an innocent employer. No one suggested that the Catholic Child Welfare Society had encouraged these actions, but liability still arose.
The case set the criteria for assessing vicarious liability in employment, namely:-
The employer is more likely to have the means to compensate the victim than the employee and can be expected to have insured against that liability;
The tort will have been committed as a result of activity being taken by the employee on behalf of the employer;
The employee’s activity is likely to be part of the business activity of the employer;
The employer, by employing the employee to carry on the activity will have created the risk of the tort committed by the employee;
The employee will, to a greater or lesser degree, have been under the control of the employer.
If these criteria are satisfied, then a relationship analogous to employment exists and the Court will then examine whether the relationship between the act and the "employment" were sufficiently closely connected to give rise to liability.
In this case a petrol station kiosk attendant assaulted a customer without provocation. He did so in the course of his employment, but was not employed to engage in any type of confrontation with customers (he was not, for example, a security guard). The Judge at first instance found no vicarious liability because there was no close connection between the employment of the defendant and his actions.
The Court of Appeal summarised the test for a close connection as:-
The Court of Appeal decided that the initial altercation was within the employee's field of activities and that the subsequent series of actions culminating in assault were "an unbroken sequence of events". As such although a "gross abuse" of his position there was a close connection between his employment and the actions that led to the claim, meaning vicarious liability arose.
Other cases have even held that a medical examiner acting as a contractor can create vicarious liability for sexual abuse where a medical examination by him was a prerequisite to employment.
This case concerned an employee who intentionally released large volumes of confidential payroll data on the internet, ultimately leading to his imprisonment. Those affected brought a group action against Morrisons. There were a number of arguments, including whether vicarious liability was excluded by the statutory regime. The Court considered that it was not and that the position was no different to common law vicarious liability whereby the employer can be innocent of any civil or criminal wrong but remains liable for the actions of its employees.
A further question was whether Morrisons should be liable for the illegal actions of an employee which were directed against Morrisons, leading to a position where the Court could be perceived to be furthering his purpose. The Court's reasoning was explicit however that there was no exception for malicious motives. The Court's decision is revealing as it highlights the need for innocent third parties to be able to recoup their losses and the availability of insurance as key factors in deciding that liability arises.
It was also argued that the actions of the employee were separated from his employment both geographically and by time (he had waited some time before releasing the data to conceal his involvement). However the Court concluded that the actions were an unbroken chain of events arising from his employment,, meaning that vicarious liability arose.
The above cases all highlight that vicarious liability has broadened significantly, and may well continue to do so. The Courts are explicit about the public policy reasons that underpin their approach (i.e. is the risk created by your business activities and are you in the best position to compensate?).
It is essential to ensure that your employer's and public liability insurance policies include cover for deliberate criminal actions by employees and third party contractors in circumstances where vicarious liability could arise.
It is important to consider the tests for control when engaging third parties and whether you are inadvertently creating the conditions for vicarious liability claims to arise and, if you are, whether your insurance cover is adequate. It is also important to minimise the scope of potential liability by examining what controls are in place for your contractors, as well as what other safeguards are in place to control or prevent breaches in the first place (for example minimising the risk of data breaches with encryption and authentication, designing out safety risks to minimise reliance on human controls etc…).
Given the long tail nature of some claims it is also important to retain key records, even where they relate to third party contractors,, particularly where concerns or complaints have been received.
The above principles have not yet impacted on the approach to criminal regulatory breaches, however where an employee deliberately commits an offence similar questions will arise. In criminal regulatory law the Courts must examine issues such as whether the employee was part of your undertaking, was he on a frolic of his own, was he a skilled, trained and competent individual who ignored that training etc… but as insurance is not available for criminal fines the public policy arguments for imposing strict liability for employee misconduct are much weaker.
Nevertheless it is very important for employers to appreciate that compliance with regulatory obligations is not simply a matter of criminal law. The potential civil implications can be very significant and their scope, and impact, particularly where insurance is not sufficiently comprehensive, are aptly demonstrated by the 2017 Morrisons case. Even where no offence is committed, and this is particularly the case where an employee commits an act which may not realistically be preventable, their action can still create the conditions for group litigation.
Considering your control systems and addressing employees who pose a risk are steps to minimising the likelihood of such an event but the ever expanding scope of vicarious liability makes it important to assess your insurance arrangements.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions.