135: Morrisons Supermarkets held vicariously liable for employee’s deliberate data breach

In a significant judgment, the Court of Appeal has upheld the decision of the High Court that Morrisons Supermarkets was vicariously liable for the deliberate leak of the personal data of almost 100,000 employees by a disgruntled employee (W M Morrisons Supermarkets Plc v Various Claimants). This is the first class action concerning a data breach in the UK.

Mr Skelton was employed by Morrisons as a senior IT auditor. He developed a grudge against Morrisons after being subject to disciplinary proceedings for using the company’s postal facilities for private purposes. As part of the annual audit process, Mr Skelton was entrusted with passing on the payroll data of around 100,000 employees to the external auditors. Using another employee’s details in an attempt to conceal his actions, he copied and leaked this data online and alerted several newspapers to the leak. He was subsequently convicted of various criminal offences and jailed for fraud.

Around 5,500 of the affected employees claimed damages from Morrisons for misuse of private information, breach of confidence and breach of duty under the Data Protection Act 1998. The High Court held that whilst Morrisons was not directly liable, it was vicariously liable for Mr Skelton’s actions because there was a sufficient connection between his illegal actions and the role for which he was employed.

The Court of Appeal has now unanimously rejected Morrisons’ appeal. It found that Mr Skelton was entrusted with the data for the purposes of his role as auditor. Covertly downloading this data onto his personal USB stick and disclosing it on the internet was part of a continuous sequence of events which had been planned by him. The Court of Appeal agreed that there was therefore sufficient connection between his position and the data breach to justify imposing liability on Morrisons for his actions.

This case is unusual because Mr Skelton’s motive was to harm his employer rather than another employee or third party, but the Court of Appeal rejected Morrisons’ argument that imposing vicarious liability would further his criminal aims. Subject to any appeal to the Supreme Court, the decision means that employers may be liable for the misuse of personal data by a rogue employee, even if they have otherwise complied with data protection legislation. Although, in theory, employers can insure against such risks, it remains to be seen how insurers will react. The amount of compensation awarded to the affected individuals under the Data Protection Act 1998 may be relatively small, but Morrisons’ liability will be substantial given the number of employees involved. Compensation could be greater under the new regime introduced by the General Data Protection Regulation in May 2018.