Can an employer be liable for its rogue employee's data breach?
Mr Skelton was employed by Morrisons as a Senior IT Consultant. He was not at all happy when Morrisons gave him a verbal warning for a minor incident of misconduct. Mr Skelton wanted to get back at Morrisons. He had the opportunity to do so when, in the course of doing his job, he was entrusted with a raft of payroll information relating to almost 100,000 of his colleagues. The information included names, addresses, gender, dates of birth, phone numbers, NIC numbers, bank sort codes, bank account numbers and salary details. Mr Skelton posted this information on the internet, and also sent it to three newspapers including the Telegraph & Argus.
Mr Skelton was found guilty of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 by Bradford Crown Court, and is now serving a prison sentence.
5,518 of the Morrisons’ employees, whose personal data was disclosed, brought claims against Morrisons for compensation under the Data Protection 1998 and at common law. They argued that Morrisons was liable, either directly or vicariously, for the criminal actions of its rogue employee.
The High Court held that Morrisons did not directly misuse the employees’ personal data; nor did they authorise its misuse or permit its misuse by any carelessness on their part. Essentially, Morrisons was an entirely innocent party in this case.
However, the question of vicarious liability was a different matter. The concept of vicarious liability imposes legal responsibility on an employer – even when the employer is blameless – for the wrongful actions of its employee committed in the course of his employment. The background to this concept is to enable an innocent victim to claim compensation against a financially responsible defendant. In other words, there is a recognition that the rogue employee often has insufficient funds to pay compensation to the victim of his actions; the principles of social justice should therefore provide the victim with a remedy against an employer with deeper pockets.
In considering whether an employer is vicariously liable, the court must decide whether the employee’s actions were carried out in the course of his employment. In this case, the High Court took the view that Mr Skelton’s role incorporated duties to receive and store payroll data and to disclose the data to a third party (in this case to KPMG, the external auditor). The fact that he chose to disclose it to other third parties - who were not authorised to receive it - was closely related to the task that he was employed to do. When Mr Skelton received the data, he was acting as an employee, and the chain of events from that point until he posted it on the internet was unbroken. This was the case even though he posted it on the internet from home, outside working hours and using his own personal computer. In short, there was sufficient connection between the job that Mr Skelton was employed to do and his wrongful actions to make it right for Morrisons to be held liable both under the data protection legislation and at common law.
Readers may well think that this case is very unfair on Morrisons. Indeed, the Judge commented at the end of his judgment that he was troubled by the fact that Mr Skelton’s wrongful acts were deliberately aimed at Morrisons, the party who was then held responsible to the claimants. In those circumstances, he gave Morrisons leave to appeal; there may therefore be a further chapter to come in this story.
If you would like to discuss any issues raised in this article, we have specific employment law expertise in advising in this area. For further advice, please contact Louise Connacher or a member of the Employment Team.
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.