Morrisons vicariously liable for breaches

Posted: 23rd October 2018

Data SecurityIn a decision that should make every employer sit up and take notice, the Court of Appeal has ruled Morrisons are indirectly liable for the misdeeds of an errant employee who leaked its payroll data onto the Internet.

IT auditor, Andrew Skelton, bore a grudge against the chain and used a USB stick and a laptop computer to place personal details of almost 100,000 employees on a file sharing website. After the leak was tracked to him, he was convicted of fraud, together with offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA), and was sentenced to eight years’ imprisonment.

After lawyers representing over 5,000 affected employees launched proceedings, a judge found that Morrisons had not directly misused, or authorised or carelessly permitted the misuse, of any of the relevant data. However, it found on the facts of the case that Mr Skelton's nefarious actions were sufficiently closely connected to his employment as to render the chain vicariously liable.

In challenging that decision, Morrisons argued that it, rather than its staff, was the Mr Skelton's intended victim and that the judge’s ruling had enabled him to achieve his objective of harming its interests. The finding of vicarious liability would place an enormous burden of the supermarket chain and other employers who found themselves in a similar situation.

In dismissing the appeal, however, the Court found that the common law remedy of vicarious liability is neither expressly nor impliedly excluded by the terms of the DPA. It noted that, if the defendant’s arguments were correct, a hypothetical employee who had money stolen from his bank account as a result of a data leak by a co-worker would have no remedy, save against the wrongdoer personally.

Noting the large number and huge scale of recent corporate data breaches, the Court observed that it is incumbent on those exposed to potentially catastrophic losses to take out appropriate insurance. The Court's decision opened the way for the affected employees to seek compensation from Morrisons in respect of any losses suffered.