In October 2018, the Court of Appeal upheld the decision of the High Court (this has been a long running case!) that Morrisons was vicariously liable for the actions of an unhappy employee, who had posted the payroll details of about 100,000 employees online!
Andrew Skelton was a Senior Internal Auditor at Morrisons HQ and in 2014 he leaked the payroll data, posting it to a file-sharing website online and sending it to newspapers. Skelton had been apparently been bearing a grudge against his employer because of a previous disciplinary issue (which was not data related). Morrison became aware of the data breach in March 2014. Skelton was arrested and subsequently convicted and jailed for 8 years in July 2015 after being found guilty of fraud and securing unauthorised access to computer material and disclosing personal data (under the Computer Misue Act 1990 and the Data Protection Act 1998).
5,518 Workers who were affected by this breach of personal data (which included names, dates of birth, addresses, national insurance numbers, salaries and bank details) bought the claim against Morrisons, seeking compensation for distress and arguing that the breach had exposed them to possible identity theft and financial loss. The workers alleged that Morrisons was directly liable for breach of statutory duty (under the Data Protection Act) and under common law (for misuse of personal data and breach of confidence), and vicariously liable for the action of Skelton. Morrisons have said that they worked to get the data taken down quickly and reassured staff that they would not be financially disadvantaged and were not aware that anybody had suffered any direct financial loss.
Morrisons argued in Court that it could not be held liable for the criminal misuse of the data but the CoA rejected this, upholding the High Court’s previous ruling that Morrisons was “vicariously liable for the torts committed by Mr Skelton again the workers”. The original High Court decision was that Morrisons was not directly liable for the data breaches, as Skelton had created a copy of the original data, and were not liable under common law; however they were vicariously liable for the employee’s actions.
The case is important as it is seen as the first ‘class action’ (e.g. multiple claimants) about data leaks, and because it places a greater liability on the employer for the actions of their employees. If a close connection can be found between an employee’s job and their conduct, that would satisfy the requirements to claim vicarious liability. The High Court found that there was a sufficient connection between the employee’s action and his employment – he had received the data in the course of his employment as part of his job (he had been asked to deliver the data to the company’s external auditor on a USB stick, and was trusted to do that). The Court said that although he had copied it and disclosed the data in an unauthorised way (at a later date and from a home computer), this was closely connected to what he had been asked to do, and his motive for breaching the data was irrelevant.
Morrisons will appeal to the Supreme Court!
Vicarious liability more generally:
Claims for vicarious liablity can cover many other situations (not just in relation to personal data, as is described above), including:
- Discrimination, bullying and harassment – you can read more about that here and here
- physical assault – you can read more about the case of Bellman v Northampton Recruitment here
- health and safety – you can read more about this in relation to company vehicles here
- negligence – you can read more here