81: High Court rules that employer can be vicariously liable for mass data breach caused by employee’s criminal actions

In Various claimants v Wm Morrisons Supermarket PLC, the first group litigation involving a mass data breach, the High Court has ruled that an employer was vicariously liable for an employee’s deliberate disclosure of the personal data of around 100,000 employees.

Mr Skelton was employed by Morrisons as a senior IT internal auditor, which meant that he had access to sensitive and confidential personal data about employees, including payroll information. He became disillusioned with Morrisons following disciplinary action brought against him in July 2013 which he believed was excessive. On 1 November 2013 Mr Skelton was asked to send payroll data to KPMG for external audit purposes. This data was provided to him on an encrypted USB stick which he downloaded onto his computer. He then loaded the information onto another USB stick and forwarded it to KPMG. On 18 November, Mr Skelton copied the data he had downloaded onto his computer onto a personal USB stick. On 12 January 2014, he posted online a file containing the personal details of around 100,000 employees, including salaries, bank details, national insurance numbers and dates of birth. Morrisons took immediate steps to remove the data, which remained online for less than 24 hours. Mr Skelton was subsequently convicted of fraud and other offences, and received a sentence of eight years’ imprisonment.

A group civil action was brought against Morrisons by 5,518 affected employees for compensation in respect of breach of the Data Protection Act 1998 (DPA), misuse of private information and breach of confidence. The High Court held that Morrisons was not directly liable, but was vicariously liable for Mr Skelton’s actions.

Morrisons argued that the DPA does not recognise any vicarious liability for unauthorised acts of employees, and that vicarious liability could not arise at common law for misuse of private information or breach of confidence. However, the High Court disagreed, ruling that Morrisons could in principle be vicariously liable for Mr Skelton’s actions under all three heads of claim.

The High Court went on to consider whether there was a sufficient connection between Mr Skelton’s acts and his employment to make it just and reasonable to impose liability on Morrisons. It concluded that there was a seamless and continuous sequence of events linking his employment and the disclosure of the data. For example, he was entrusted with the employee data as part of his job and was tasked with receiving and storing it, and sending it to a third party. Although his actions were unauthorised, they were still sufficiently connected to his role to render Morrisons liable. Since Mr Skelton had misused his position to harm other employees, it was only fair that Morrisons, which had given him that position, should be held responsible.

This is a difficult case for employers. Subject to appeal to the Court of Appeal, it establishes the principle that a company can be vicariously liable for a data breach even where, as here, it has appropriate measures in place to ensure the security of employees’ personal data. The High Court acknowledged that there is no absolutely safe system for entrusting staff with sensitive data, and that there will always be rogue employees. However, as this case illustrates, a finding of vicarious liability is often based more on public policy than an employer’s culpability. Given the number of employees involved, the potential compensation payable by Morrisons is significant. A remedies hearing will be held at a later stage depending on the outcome of any appeal. Employer should note that the financial consequences of data breaches will be even more significant after the introduction of the EU General Data Protection Regulation in May 2018.