The case confirmed that there was a sufficient connection between the employee’s employment and his wrongful conduct for liability to be imposed on the employer.
Mr Skelton worked for Morrisons as a Senior IT internal auditor. After being involved in a disciplinary hearing, Mr Skelton formed a grudge against Morrisons. During an annual audit Mr Skelton was tasked with providing KPMG with payroll data for employees. A member of HR provided Mr Skelton with the data on a USB stick. Mr Skelton downloaded the data onto his laptop and then on to a KPMG USB stick which he then passed to KPMG as instructed. Two weeks later he downloaded the data on to a personal USB. A further two months later Mr Skelton posted the data of just under 100,000 Morrisons employees (including names, addresses, dates of birth, phone numbers, National Insurance numbers and bank details) to a file sharing website. He also sent the data to three newspapers. He was later arrested and sentenced to eight years in prison.
Over 5,500 employees brought a group action against Morrisons for misuse of private information, breach of confidence and breach of statutory duty. The High Court held that Morrisons were not primarily liable but were vicariously liable for the actions of Mr Skelton. Morrisons appealed to the Court of Appeal (CA).
In order for vicarious liability to apply, it is necessary to determine whether there is a sufficient connection between the employee's job and the act committed. A two-stage test is used:
The CA held that dealing with the data was a task specifically assigned to Mr Skelton, as opposed to something he simply had access to. His role was to receive, store and disclose the data. Therefore, although his disclosure of the data to parties other than KPMG was not authorised, it was still closely related to the tasks he had been assigned.
Although Mr Skelton had committed the act of publishing the data several weeks after the initial download, outside of his working hours, whilst he was at home using his own computer, the CA agreed with the High Court that the act was not disconnected from his job and rather there was a 'seamless and continuous sequence' or 'unbroken chain' of events linking Mr Skelton's work to his wrongful conduct.
The CA also confirmed that the motive of the individual committing the breach is irrelevant even where the motive is specifically to cause financial or reputational damage to the employer.
The CA therefore dismissed the appeal, finding Morrisons vicariously liable for Mr Skelton's misuse of confidential information and breach of confidence. Morrisons have expressed an intention to appeal to the Supreme Court.
The High Court Judge held that Morrisons had adequate and appropriate controls in place but that they had failed to ensure that Mr Skelton deleted the data once he had provided it to KPMG.
Interestingly, the Information Commissioner (ICO) found that Morrisons had done nothing wrong. This is significant as it means that employers can be liable for data breaches perpetrated by rogue employees even where the employer is fully complying with data protection legislation.
Managing risks in this area will therefore be difficult however employers should consider the following: