Employer vicariously liable for deliberate data breach by rogue employee
The Court of Appeal has upheld the High Court’s decision in WM Morrison Supermarkets plc v Various Claimants that an employer was vicariously liable for a data breach by one of its employees who deliberately disclosed his co-workers’ personal data.
Mr Skelton, an internal auditor, developed a grudge against his employer after he was given a formal verbal warning and decided to use his authorised access to payroll data to cause damage to his employer. He had been given an encrypted USB stick containing payroll data to provide to KPMG for auditing purposes. He downloaded this information onto a personal USB stick and set up a file containing personal details such as names, dates of birth, national insurance numbers, bank account and salary details of almost 100,000 Morrisons employees. He put this information on a file-sharing website and anonymously notified a number of newspapers of the data leak shortly before Morrisons was about to announce its annual financial report. This had serious implications for the share value and a concern that the data could be used to access the individuals’ bank accounts or for identity theft. He was convicted of fraud and of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998.
Over 5000 employees brought claims against Morrisons for breach of the Data Protection Act 1998 (DPA), misuse of private information and breach of confidence. The High Court dismissed the all claims for primary liability as Morrisons had not directly misused or permitted the misuse of any personal information. It was not disputed that Mr Skelton was the data controller for DPA purposes. However, the Court did find that Morrisons was vicariously liable under the DPA as this is not specifically excluded under the legislation and there was a sufficient connection between Mr Skelton’s employment and the actions he took.
The Court of Appeal agreed with the conclusions concerning primary liability. It also held vicarious liability was covered by the DPA and went on to consider whether his actions were “in the course of his employment” following the two stage test established by Mohamud v Morrisons. This is whether the actions fell within the “field of activities” entrusted to him and whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right under the principle of social justice for Morrisons to be held liable. The Court found that Mr Skelton was entrusted with the payroll data as part of his role and the tortious act of sending it to third parties was in the field of activities assigned to him. His actions were “seamless and continuous” and “an unbroken chain of events”. Therefore Morrisons was vicariously liable.
An unusual feature, and one basis for the appeal, was that although motive is usually irrelevant, in this case Mr Skelton’s objective was to cause damage to his employer. Morrisons argued that in finding it vicariously liable, the Court had become an accessory in furthering Mr Skelton’s criminal aims. However, the Court did not agree that this meant there could be an exception to the principle that motive is irrelevant.
Morrisons has indicated that it intends to appeal to the Supreme Court.
This is a very worrying decision for employers. As the court itself recognised, there is no failsafe system for preventing a rogue employee who is determined to deliberately cause damage to his/her employer in this way. Morrisons was not guilty of any failure which enabled the breach to occur but it ended up with the liability.
This case does not deal with quantum, which will be determined once any appeal to the Supreme Court has been heard. The data breach does not appear to have caused any financial loss to the employees and any amount awarded per individual may be fairly nominal. However, as there are potentially 100,000 employees affected compensation could be significant. It will be interesting to see how the Court approaches this.
This decision was made under the DPA 1998 and is the first group litigation on data breach in 20 years. There are now fears that following the success of the claimants this case, more claims of this nature will be brought. Unfortunately for employers, unless the Supreme Court overturns this decision, this scenario seems more likely given that following the implementation of GDPR businesses are under an obligation to tell individuals about any data breach which will effectively put them on notice that they have a claim.
The Court considered the “potentially ruinous costs” implications raised by Morrisons but decided that this was not an issue as in its view the employer could put insurance in place to cover this. Employers would therefore be well-advised to take steps to investigate and if possible put in place cyber insurance to cover the actions of malicious and dishonest employees. Whether insurance companies will cover this risk remains to be seen.
For more information please contact Nick Hurley.
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
Do You Believe?
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
Amelia Goodwin and Georgina O'Sullivan write for Pharmacy Business on managing employee performance
Why contractors should prioritise performance management of employees as a regular feature of their business strategy.
The UK’s New Skilled Worker & Intra-Company Visa Routes: a closer look
Taking a closer look at the UK’s new visas to assist UK businesses.
Have your say: MAC call for evidence on Intra-Company Visa Route
The MAC, has launched a call for evidence on the Intra-Company Transfer (ICT) immigration route.
Sleep-in workers not entitled to NMW for entire shift
A unanimous ruling by The Supreme Court in the Royal Mencap v Tomlinson-Blake and another case.
Amelia Goodwin quoted by People Management, Home Care Insight and Care Home Management on the implications of the Supreme Court's ruling in Royal Mencap Society v Tomlinson-Blake
The court found that care providers do not have to pay the minimum wage to staff for time that they are asleep but on call during shifts.
It’s all about the data…why has the government delayed hospitality reopening again?
Michael Powner quoted by People Management on the implications of Uber's decision to pay drivers minimum wage
Uber’s rollout of living wage will put further pressure on other gig economy firms to follow suit.
How to manage redundancies: employee rights on redundancy
What rights do employees have when a redundancy exercise is carried out?
Michael Powner quoted by Personnel Today on the implications of the Uber Supreme Court ruling on the gig economy
While the case is fact specific, the decision is likely to be a very persuasive authority for tribunals ruling on others in the gig economy.
Michael Powner quoted by Bloomberg, PA Media and People Management on the Supreme Court's ruling on the employment status of Uber drivers
The Supreme Court unanimously found that Uber drivers are workers under UK law.
Nick Hurley quoted by the Daily Mirror on 'no jab, no job' policies
'No jab, no job' may seem clear and concise, but mandatory policies requiring the Covid-19 vaccine are far from straightforward.
How to manage redundancies: practical steps
What are the practical considerations when carrying out a redundancy exercise?
EMI share options, Covid-19, and Brexit – where are we now?
What are the new measures to employers operating EMI schemes that have been affected by the pandemic?
Jonathan McDonald and Rahim Hirji write for LawInSport on the relationship between data protection and referee reports in English football
Is data in reports submitted by referees to the Football Association subject to the General Data Protection Regulation?
Next Generation Cloud for Europe
Next Generation Cloud for Europe
How to manage redundancies: initial planning
What should employers consider when preparing for a redundancy situation?