Morrisons Supermarket Vicariously Liable for Data Breach Committed by its Employee
In WM Morrison Supermarkets plc v Various Claimants, the employee disclosed the personal information of around 100,000 fellow employees on the internet.
The case confirmed that there was a sufficient connection between the employee’s employment and his wrongful conduct for liability to be imposed on the employer.
The Facts
Mr Skelton worked for Morrisons as a Senior IT internal auditor. After being involved in a disciplinary hearing, Mr Skelton formed a grudge against Morrisons. During an annual audit Mr Skelton was tasked with providing KPMG with payroll data for employees. A member of HR provided Mr Skelton with the data on a USB stick. Mr Skelton downloaded the data onto his laptop and then on to a KPMG USB stick which he then passed to KPMG as instructed. Two weeks later he downloaded the data on to a personal USB. A further two months later Mr Skelton posted the data of just under 100,000 Morrisons employees (including names, addresses, dates of birth, phone numbers, National Insurance numbers and bank details) to a file sharing website. He also sent the data to three newspapers. He was later arrested and sentenced to eight years in prison.
Over 5,500 employees brought a group action against Morrisons for misuse of private information, breach of confidence and breach of statutory duty. The High Court held that Morrisons were not primarily liable but were vicariously liable for the actions of Mr Skelton. Morrisons appealed to the Court of Appeal (CA).
Can an Employer Be Liable for an Employee's Misuse of Private Information?
In order for vicarious liability to apply, it is necessary to determine whether there is a sufficient connection between the employee's job and the act committed. A two-stage test is used:
- Field of activities… the nature of Mr Skelton's job
The CA held that dealing with the data was a task specifically assigned to Mr Skelton, as opposed to something he simply had access to. His role was to receive, store and disclose the data. Therefore, although his disclosure of the data to parties other than KPMG was not authorised, it was still closely related to the tasks he had been assigned.
- Sufficient Connection… between what Mr Skelton was employed to do and his wrongful conduct
Although Mr Skelton had committed the act of publishing the data several weeks after the initial download, outside of his working hours, whilst he was at home using his own computer, the CA agreed with the High Court that the act was not disconnected from his job and rather there was a 'seamless and continuous sequence' or 'unbroken chain' of events linking Mr Skelton's work to his wrongful conduct.
The CA also confirmed that the motive of the individual committing the breach is irrelevant even where the motive is specifically to cause financial or reputational damage to the employer.
The CA therefore dismissed the appeal, finding Morrisons vicariously liable for Mr Skelton's misuse of confidential information and breach of confidence. Morrisons have expressed an intention to appeal to the Supreme Court.
Best Practice
The High Court Judge held that Morrisons had adequate and appropriate controls in place but that they had failed to ensure that Mr Skelton deleted the data once he had provided it to KPMG.
Interestingly, the Information Commissioner (ICO) found that Morrisons had done nothing wrong. This is significant as it means that employers can be liable for data breaches perpetrated by rogue employees even where the employer is fully complying with data protection legislation.
Managing risks in this area will therefore be difficult however employers should consider the following:
- Checking that their current insurance arrangements provide adequate cover for data breaches, including the potential for large group claims.
- Considering whether additional checks can be made. This could include taking up extra references before appointing someone to a role that includes responsibility for handling confidential data.
- If an employee is subject to disciplinary action or raises a grievance, ensuring that the processes followed are fair and reasonable, that any outcome is proportionate and that the communication around the outcome seeks to identify positives so as to avoid damage to employer/employee relationship.
- Risk assessing whether disciplinary or grievance processes are likely to increase the risk of a deliberate data breach.
- Put in place systematic IT controls that monitor use and provide alerts where policies are breached or unusual activity takes place.