Data Protection: Employer vicariously liable for a rogue employee’s internet disclosure of 100,000 employees’ personal information

Mr Skelton was a senior IT internal auditor employed by Wm Morrisons Supermarkets plc.  In July 2013, he was given a formal verbal warning which left him holding a grudge against Morrisons.  A few months later, Morrisons’ external auditor asked Morrisons to provide payroll data in connection with the annual audit.   Having provided this information to the auditors, Mr Skelton also copied the data onto a personal USB.

Mr Skelton used this personal USB to post a file containing the personal data of 99,998 Morrisons employees onto a file sharing website and used the initials and date of birth of another employee in a deliberate attempt to frame him.  He did this from home, on a Sunday, using his personal equipment.  Shortly afterwards, links to the website were placed elsewhere on the web.  The data included the names, addresses, phone numbers, bank sort codes and account numbers and each employee’s salary.   In March, he anonymously sent a CD containing the data to three newspapers, who did not publish the information, but told Morrisons about it.  Within a few hours, Morrisons had taken steps to ensure that the website had been taken down and alerted the police.  Mr Skelton was arrested and charged with fraud, an offence under the Computer Misuse Act 1990 and under the Data Protection Act 1998.  He was tried, convicted, and sentenced to eight years’ imprisonment.

As we reported earlier this year, in the first class action of its kind, over 5,000 employees brought proceedings against Morrisons in the High Court, seeking damages and interest for misuse of private information, breach of confidence and breach of statutory duty under the Data Protection Act.  They claimed that Morrisons was vicariously liable for the wrongful conduct of Mr Skelton, as well as having primary liability for its own acts and omissions.

The High Court rejected the argument that Morrisons bore any primary liability. However,  it held that Morrisons was vicariously liable for Mr Skelton’s acts, and made important findings on vicarious liability in the context of data protection. Given the potential ramifications of this judgment Morrisons appealed.

The Court of Appeal agreed with the High Court that the principles of vicarious liability apply to the Data Protection Act 1998 and, considering the tests for vicarious liability on these facts, it agreed that Mr Skelton’s actions fell within the “field of activities” entrusted to him by Morrisons, and that there was sufficient connection between the position in which he was employed and his wrongful conduct for Morrisons to be held liable.  This was despite the disconnect in time, place and nature from Mr Skelton’s employment when he posted the data.    However, the Court considered that there was a novel feature of this case, in that Mr Skelton’s motive was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party.  Morrisons argued that to impose vicarious liability on it under these circumstances would render the court an accessory in furthering Mr Skelton’s criminal aims.  The Court of Appeal did not agree:  motive is irrelevant to data privacy issues even when the motive is causing harm to a third party to cause damage to the employer.

Morrisons argued that the large number of claimants and the total number of employees whose confidential information had wrongly been made public illustrates how enormous a burden a finding of vicarious liability would place on Morrisons and could place on other innocent employers in future cases.  However, the Court of Appeal found these arguments “unconvincing”, referring to them as “Doomsday or Armageddon arguments”.  While there have been data breaches on a massive scale in recent years, which could lead to a large number of claims against companies for potentially ruinous amounts, the judge suggested that the solution is to insure against these risks.  Indeed the fact that Morrisons had Cyber insurances was an important feature in the Court of Appeal’s decision.

This confirms that employers may be vicariously liable for their employees’ breaches of data protection legislation, even where the employee’s motive is to damage the employer, and the acts are committed outside working hours and premises.  This is, of course, not good news for employers.  Employers will probably have already checked their data security measures when preparing for GDPR: if they have not, they should do so.  They should also check the extent to which their insurance might cover them in the event of data protection breaches by their employees, and ensure that they have put any measures in place that are required by their insurers as a condition of any cover.

It is expected that this judgment will be appealed to the Supreme Court.