Morrisons liable for data breach by employee with a grudge
Morrisons supermarket chain may have to pay compensation to more than 5,000 of its staff after their confidential data was published online by an employee with a grudge.
The Court of Appeal heard that Andrew Skelton had worked for Morrisons as an internal IT auditor. He developed a grudge against the company after being disciplined.
He copied the personal data of thousands of employees and posted it on the web, using another employee's details to conceal his actions.
Skelton was convicted of criminal offences, including fraud, securing unauthorised access to computer material and disclosing personal data. He was jailed for eight years.
The employees affected claimed damages from Morrisons for misuse of private information and breach of confidence, and for breach of the company’s statutory duty.
The judge found that Morrisons had not directly misused or permitted the misuse of any personal information and was therefore not primarily liable in that respect.
However, he held that there was sufficient connection between the position in which Skelton was employed and his wrongful conduct to justify holding the employer vicariously liable.
Morrisons appealed on various grounds, including the principle that it could not be vicariously liable for Skelton’s actions because they did not occur during his employment.
The Court of Appeal upheld the judge’s decision. It held that the employees' causes of action against Skelton were already established when he improperly downloaded their data on to his USB stick while at work.
In addition, there were numerous cases in which an employer had been held vicariously liable for illegal acts committed away from the workplace.
The judge had correctly concluded that Skelton's actions at work and the disclosure on the web was a seamless and continuous sequence of events: the steps he had taken and his attempts to hide them were all part of a plan.
An unusual feature of the case was that the aim of the wrongdoing was to harm the employer, not for Skelton to achieve some benefit for himself. It might, therefore, be thought that to impose vicarious liability on Morrisons would result in furthering his aim.
However, if that argument were to succeed, an employee who misused data to steal money from another employee's bank account would have no remedy except against the wrongdoer themselves. Accordingly, the employer was vicariously liable for Skelton's actions.
A spokesman for Morrisons said: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”
We shall keep clients informed of developments.
Please contact Sarah Liddiard or Sorcha Monaghan if you would like more information about the issues raised in this article or any aspect of data protection or employment law.