The Court of Appeal (“CA”) has upheld the High Court’s earlier decision in VM Morrison Supermarkets plc v Various Claimants that an employer can be vicariously liable for a data protection breach caused by a rogue employee who deliberately set out to commit a criminal wrongdoing.
Mr Skelton was a senior IT internal auditor employed by Morrisons. Following an incident involving the unauthorised use of Morrisons’ postal facilities, Mr Skelton was issued a verbal warning. Consequently, Mr Skelton held a grudge against Morrisons. Three months later, Mr Skelton was tasked with providing external auditors, KPMG, with an encrypted USB stick containing payroll data. In addition to doing this, Mr Skelton also copied the payroll data onto his own personal memory stick. A couple of months later, on a Sunday in his personal time, Mr Skelton posted the payroll details (i.e. names, addresses, bank account details and salaries) of almost 100,000 employees online using a colleague’s identity and anonymously sent a CD containing a copy of the personal data to three newspapers purporting to be a concerned citizen who had discovered that Morrisons’ payroll data was available online.
Mr Skelton was convicted of fraud and sentenced to eight years’ imprisonment. 5,518 Morrisons workers brought a claim against Morrisons arguing that it should be held vicariously liable for Mr Skelton’s deliberate data breach.
The Court of Appeal’s decision was handed down on 22 October 2018.
The CA upheld the High Court’s decision that:
- There was a sufficient connection between Mr Skelton’s employment and his wrongful conduct. The actions of Mr Skelton in sending the personal data to third parties were ‘within the field of activities assigned to him by Morrisons’ and part of a ‘seamless and continuous sequence of events’ that linked his employment to the disclosure. The fact that Mr Skelton had chosen to disclose the data in an unauthorised way was closely related to his task of receiving and storing the payroll information, and then disclosing it to a third party; and
- The motive of Mr Skelton was irrelevant even though his intention was to cause financial and reputational damage to Morrisons.
The CA’s decision will have substantial financial implications for employers and is the first ever class action concerning a data breach to be heard by the courts. In response to concerns that this decision could lead to significant claims against employers held vicariously liable for the intentional wrongful acts of their staff, the CA suggested that insurance cover would be an appropriate solution.
This is a surprising decision and Morrisons has confirmed that it will appeal to the Supreme Court.
In the meantime:
- Review your existing insurance cover to check if it covers this type of employee wrongdoing; and
- Be aware that your employees’ actions, even those carried out in their personal time and which were intentionally committed to cause harm to your business by criminal means, may be found to be carried out ‘in the course of their employment’, leaving the organisation liable for them.
See our previous update here for another important decision from the CA on vicarious liability.