Employers have traditionally been legally responsible for the actions of their employees, under the principle is known as vicarious liability. This principle can apply even where an employee’s actions are contrary to the instructions of the employer, or even criminal.
It perhaps, then, comes as no surprise that, in October 2018, the Court of Appeal in Various Claimants v WM Morrison Supermarkets plc, recently upheld the High Court’s decision that Morrisons was vicariously liable for the actions of former employee Andrew Skelton. This case, albeit by no means ground-breaking, is, however, the UK’s first data leak group action, and not only paves the way for future group actions in light of the enforcement of the EU General Data Protection Regulation (“GDPR”), but also reminds businesses of just how widely the principle of vicarious liability can be applied and the potential consequences.
Mr. Skelton was a senior IT internal auditor employed by Morrisons. In July 2013, Mr. Skelton was issued with a formal verbal warning for using the company’s postal facilities for his own private use. He was frustrated by the disciplinary procedure and the outcome and developed a grudge against his employer.
In November 2013, Morrisons’ external auditor requested a copy of the company’s payroll data to undertake its annual audit. An employee in the HR department copied the data onto an encrypted memory stick and passed it to Mr. Skelton, who copied the data onto his encrypted laptop, and then onto another encrypted memory stick, supplied by the external auditor and returned it to them.
Whilst at work a few weeks later, Mr Skelton copied the payroll data from his laptop onto his personal memory stick. A couple of months later, at home one weekend, Mr Skelton posted a file containing the personal details of nearly 100,000 employees to a file-sharing website. Unsatisfied, Mr. Skelton then anonymously sent a CD containing the data to three newspapers and a link to the file-sharing site. None of the newspapers published the information, but one did contact Morrisons. Within a few hours, the website had been taken down and the police were alerted.
Mr. Skelton was arrested and charged and, in July 2015, he was found guilty of criminal offences of fraud, securing unauthorised access to computer material and disclosing personal data. He was sentenced to eight years in prison.
Claim against Morrisons
A claim was brought against Morrisons by 5,518 employees. It was alleged that Morrisons was primarily liable for the misuse of private information, breach of confidence and breach of statutory duty under the Data Protection Act 1998, and if not, it was vicariously liable for the wrongful conduct of Mr. Skelton.
In the High Court, the judge dismissed the claims for primary liability, but found that Morrisons was vicariously liable for Mr. Skelton’s actions.
Morrisons appealed on the grounds that the Data Protection Act 1998 excludes vicarious liability and causes of action for misuse of private information and breach of confidence, whether committed directly or vicariously. The company claimed that Mr. Skelton’s wrongful acts were not committed during the course of his employment and Morrisons could, therefore, not be vicariously liable for those acts.
The Court of Appeal held that the Data Protection Act 1998 does not exclude either vicarious liability or liability for misuse of private information and breach of confidentiality. As to whether Morrisons was vicariously liable for Mr. Skelton’s actions, the Court referenced the case of Mohamud v WM Morrison Supermarkets plc , in which it was held that the Court has to consider two matters:
- first, the nature of the employee’s job, which must be considered broadly, and
- second, whether there is a sufficient connection between the employee’s position and his wrongful conduct.
The Court of Appeal agreed that Morrisons had entrusted Mr. Skelton with the payroll data and that it was his job to receive the data, store it and disclose it to a third party. Just because he decided to disclose it to others, as well as Morrisons’ external auditors, did not change that.
The Court of Appeal rejected the argument that the close connection test was not satisfied, even though the disclosure was made from Mr. Skelton’s personal computer at his home, several weeks after the data had been downloaded onto his personal memory stick. The Court of Appeal held that the employees’ right of action had arisen when Mr. Skelton downloaded the data onto his memory stick, and that whilst the time and place an act occurs are relevant, they are not conclusive. The disclosure was not disconnected by time, place or nature from Mr. Skelton’s employment; in fact, it formed part of a “seamless and continuous sequence of events” and, as such, Morrisons was vicariously liable to the claimant employees for Mr. Skelton’s criminal acts.
Morrisons has stated that it intends to appeal to the Supreme Court.
Clarion comment - minimising the risk
As was recognised by the Court of Appeal, there is nothing novel, in pure legal terms, about this case, but there is one new factor – the motive of an employee to harm his employer. There have been many cases previously where an employer has been held to be vicariously liable for its employee’s deliberate wrongdoing, with motives ranging from greed to sexual gratification. However, motive is irrelevant to the issue of employer liability, and the fact that the employee’s motive here was to cause financial and reputational damage to his employer is no different.
This case is a stark reminder to businesses of just how widely the principles of vicarious liability can be interpreted and applied. As the Court of Appeal stated, “the risk of an employee misusing his position is one of life’s unavoidable facts,” but there are things businesses can do to minimise this risk. Businesses need to:
- be mindful of employees they are entrusting with employment in positions with access to personal and other sensitive data;
- be aware that employees can develop grudges and look to minimise and manage the risks that may flow from this;
- check what insurance cover they have for liability and losses caused deliberately by dishonest or malicious employees;
- be aware of their duties in relation to data protection, particularly in light of the enforcement of the GDPR;
- consider, as a matter of general policy, practical preventative steps to protect the business. This could include locking down USB ports, prohibiting the use of USB devices and imposing system restrictions on who can access what information to minimise the risk of files being removed from a business. Such steps will go some way to addressing the comments by the Information Commissioner’s Office that Morrisons had not taken sufficient preventative measures.
The true extent of the damage Mr. Skelton has caused Morrisons will be seen when the High Court assesses, at a later date, the compensation that Morrisons will have to pay its employees for this data breach.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.