Copyright Moore Barlow LLP (Moore Blatch and Barlow Robbins merged May 2020)

Data breaches by rogue employees – employers still liable: Vicarious liability applies

The Court of Appeal recently upheld a decision of the High Court that found Morrisons Supermarkets vicariously liable for the malicious and criminal actions of a rogue employee who intentionally damaged Morrison’s reputation by misusing the personal data of almost 100,000 Morrison employees.

Background

Mr Skelton was employed by Morrisons as a Senior Auditor. This gave him access to highly sensitive personal data. Given his role in providing sensitive payroll data to external auditors this data included employees’ bank details. Aggrieved following a previous disciplinary offence Mr Skelton decided to take a copy of the payroll data, post it online and then send it to a number of newspapers.  

Mr Skelton was arrested and received a prison sentence of eight years. Civil litigation was taken by a group of 5000 Morrisons’ employees claiming that Morrisons had breached the Data Protection Act 2018 (DPA), misused private information and breached confidentiality.

The decision  

The courts decided that Morrisons was not directly liable itself, but was vicariously liable in relation to the claims. This meant they were held responsible for the actions of Mr Skelton.

Although both courts found that Morrisons had taken all reasonable precautions to protect the sensitive personal data of their employees and was not primarily liable itself for breaching the DPA, it was still liable under the common law principle of vicarious liability. This means that an employer can be liable for the actions of employees where there is a sufficient connection between the employee’s role and the wrongful behaviour that occurs.

The two significant implications for employers were:

  • the court rejected the argument that the DPA excluded vicarious liability, largely on the grounds that the court felt that Parliament would have stated so expressly if it was abolishing an important common law principle

  • the court decided that there was a sufficient connection between Mr Skelton’s role and his later wrongful action – there was a clear chain of events from Mr Skelton having access to and responsibility for dealing with sensitive payroll data leading to his downloading of the data and later unlawful disclosure.  

Interestingly, the court felt that there was no need for Mr Skelton to have disclosed information whilst actually in the office or during normal working hours. He had in fact published the data from his home on a Sunday.

Implications for employers

Although Morrisons was held to be vicariously liable even though they had put proper security checks and procedures in place, it is important to note that these procedures ensured that they were not primarily liable under the DPA – and so were not also liable to fines from the Information Commissioner’s Office.  Their vicarious liability will be in relation to claims for compensation from Morrisons’ employees for any actual financial damage or distress caused by Mr Skelton’s data breach.

Interestingly, the courts placed great emphasis on the fact that Morrisons could (and should) protect themselves against vicarious liability by taking out appropriate insurance. Although there are a growing number of cyber liability policies available, obtaining cover in practice may not be easy, given that many policies will exclude liability in cases of deliberate or malicious action.   In addition, even where such cover is allowed, the premiums will inevitably be considerably higher than would otherwise be the case to reflect this risk.  

One potential crumb of comfort for employers is that the Court of Appeal stressed that vicarious liability requires there to be a sufficient connection between the employee’s role and the later alleged wrong-doing – accordingly, it could well be the case that, if an employee who does not normally have access to, or responsibility for, sensitive personal data discloses such data, vicarious liability will not be held to apply against the employer.   As always, whether or not vicarious liability applies is ultimately a question of fact, and so it is hard to predict the outcome with certainty.  

Morrisons has indicated that it will appeal the decision to the Supreme Court and so there may be some additional twists in this story.


Share