The question for other employers, including universities, is whether they are facing a similar risk. In short, they may well be and here we look at why that is and at what practical measures universities might put in place to mitigate it.
Morrisons employed Mr Skelton as a senior internal IT auditor. This was a role that specifically required Mr Skelton to receive information on a daily basis, which was confidential or for limited circulation. Morrisons appointed him on the basis that this would happen and that he could be trusted to deal with it safely.
Following a disciplinary hearing into his unauthorised use of Morrisons’ postal facilities for his private purposes, Mr Skelton was given a verbal warning. The incident did not itself suggest that Mr Skelton was not to be trusted. The disciplinary action left him with a grudge against his employer and he then planned his revenge.
Mr Skelton was required to download payroll data of about 100,000 employees from an encrypted USB stick, copy it to his encrypted PC, then copy it on to another encrypted USB stick supplied by KPMG and hand it over. He then also copied it onto a personal USB stick with a view to disclosing the data. Using the initials and date of birth of another employee in an attempt to frame him, Mr Skelton uploaded the payroll data to a file-sharing website. Later, he anonymously sent CDs containing the data to various newspapers when Morrisons was about to announce its annual financial reports. One of the newspapers alerted Morrisons to the disclosure and, within a few hours, the website was taken down.
Mr Skelton was arrested and charged with fraud and offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA). He was convicted and sentenced to eight years in prison.
The judge, at first instance, held that Morrisons had provided adequate and appropriate controls, in accordance with its obligation under the seventh data protection principle (data security). It had not ensured that he deleted the data within a reasonable time but, on the facts, Mr Skelton had copied it before a ‘reasonable time’ had expired, so it made no difference. Morrisons was not therefore primarily responsible for its employee’s leak of the payroll data.
Morrisons argued that it should not be liable for Mr Skelton’s dishonest acts because:
The Court of Appeal decided that:
The Court of Appeal appears to have treated the latter point as a public policy consideration and balanced it against a competing one, namely that an injured party should not be left without an effective remedy. Since Morrisons could insure against vicarious liability for wrongful acts by rogue employees, but Mr Skelton could not insure against liability for his own deliberate wrongdoing, the balance lay in favour of finding Morrisons vicariously liable for Mr Skelton’s actions.
Morrisons is appealing to the Supreme Court, principally on the public policy point. Even if the Supreme Court was to overrule the Court of Appeal, this would have limited impact in relation to the effect of the rest of the judgment since the motives of rogue employees are more usually personal gain or damage to those whose personal data they misuse, than damage to their employer.
Over 5,500 employees and former employees have sued Morrisons in a class action. If Morrisons loses at the Supreme Court, it faces damages claims for breach of the DPA, misuse of their private information and breach of confidence. It seems that none of the employees has suffered any actual financial loss. The damages case will be interesting because it is likely to set the ‘going rate’ for data breaches where no specific loss can be shown.
The key take-out at this stage is that the duty to ensure that your employees are trustworthy for the roles to which they are appointed is a continuing one. It does not come to an end on appointment.
We recommend that universities take the following steps:
This article first appeared in University Business.