The Court of Appeal upheld a ruling that the supermarket chain Morrisons is vicariously liable for compensation claims arising from the actions of a former employee jailed for leaking payroll data.

When is an employer liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web, whether under the Data Protection Act 1998, an action for breach of confidence, or in an action for misuse of private information?

Employers will be watching this data breach case with interest, and perhaps dread, as damages will be assessed and Morrisons takes their appeal to the Supreme Court.

Various Claimants v Wm Morrison Supermarkets PLC  [2017] EWHC3113 (QB) was a group action brought by some 5000 plus Morrisons employees against their employer after a leak of payroll data was made by a disgruntled employee in 2014.

Brief Facts

The payroll details of nearly 10,000 Morrisons employees were removed from the Morrisons database and placed online by one Andrew Skelton, a senior IT auditor, employed by Morrisons. In subsequent investigations they were determined to have been copied in November 2013 for proper purposes, then copied by Andrew Skelton to a personal USB stick and then uploaded to the internet. He himself tried to alert the media to the breach in an attempt to affect share price.

Skelton was arrested, charged with an offence under the Computer Misuse Act 1990 both of fraud and under Section 55 of the Data Protection Act 1998, tried at Bradford Crown Court in July 2015, and convicted. He was sentenced to a term of 8 years imprisonment, which he still serves.

5,518 of the affected employees joined group litigation against Morrisons in the High Court alleging both primary and vicarious liability for: (i) misuse of private information; (ii) breach of confidence; and, (iii) breach of the Data Protection Act 1998.

Primary Liability

It was held that Morrisons was not directly liable in respect of any misuse of private information or breach of confidence, stating that it was Skelton "acting without authority and criminally". It was Skelton, not Morrisons, who the judge held to be the data controller at the time of the data breach. While there were six areas identified where Morrisons, acting as Skelton’s employer, could have breached the seventh data principle, it was only managing the deletion of data where Morrisons were found lacking, but such a failure could not have prevented this data breach, so Morrisons were not primary liable for the breach under the DPA.

Vicarious Liability

The judge did however find Morrisons to be vicariously liable under all three causes of action.  That Skelton had unlawfully disclosed the data from a personal computer, at home and outside of working hours was not sufficient to break the chain of events.

Morrisons appealed on three grounds which were all rejected by the Court of Appeal. The third ground (that the actions of Skelton did not occur during the course of employment, therefore Morrisons could not be held vicariously liable) the Court of Appeal agreed with Langstaff J at first instance that there was a sufficient connection between the wrongful acts and the specific authorised tasks. It was rejected that vicarious liability only applies when the employee is "on the job" and instead held that "there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events".

In response to Morrison’s suggestion that the court was an accessory to Skelton, the Court applied Mohamud v WM Morrison, stating that the employee’s motive is irrelevant, and the present case was no exception.

What does this mean for employers and data controllers?

This is the first case which makes an employer vicariously liable in relation to data protection and breaches, and Morrisons are set to appeal to the Supreme Court. Employers and data controllers are naturally going to be worried by the suggestion that no matter how rogue an employees actions are, if it is connected to their employment, the employer may be liable. This is particularly pertinent as the ICO's concluded in 2014, following its investigation into this case, that Morrisons had not breached the DPA and should not be fined.

This case is a good reminder that cyber security issues are not just external threats, and making sure adequate safeguards and policies are in place particularly in relation to those with access to sensitive data of whatever nature, not forgetting that employee data is just as relevant as customer data. It is worth considering whether it is appropriate to have more stringent controls on bring your own device policies, external emails and the use of USB sticks and whether USB drives should be disabled.

Employers should also consider insurance, particularly as the judgement suggested that solution was for companies to insure against such catastrophes, and introducing indemnities into employment contracts.

As for the extent of financial exposure, this appeal focused only on liability with damages being assessed separately. At this point, we watch and wait.