CA Reject Morrison Vicarious Liability Appeal

It is the nightmare scenario that could affect any business – and potentially close it. You have taken all the right and proper steps to protect the personal data by the company, but a rogue employee breaches all your rules and you end up liable not only for the costs of correcting that employee’s wrongdoing, but for providing compensation for those affected.

In a decision that has caused huge concern in businesses across the UK, the supermarket Wm Morrison has been held vicariously liable for a former employee leaking personal information of some 100,000 members of staff.

On Monday this week the Court of Appeal rejected Morrison’s appeal in the UK’s first data protection class action.

Personal data protection

In 2014 Andrew Skelton, a senior internal auditor at Morrison, who had been disciplined for running an eBay trading business from the post room at its Bradford headquarters, deliberately and maliciously posted the bank account details, dates of birth, national insurance numbers, addresses and telephone numbers of 100,000 members of Morrison’s staff on the internet.

Skelton posted the payroll data online on a public file-sharing website, tipped off the press and tried to implicate an innocent colleague. Once the press made the company aware of the breach, it acted promptly to get the website hosting the data taken down. It also liaised quickly with banks and the police.

Skelton was jailed for eight years in 2015 for fraud, securing unauthorised access to computer material and disclosing personal data. The company gave evidence to the criminal court that it had cost £2,000,000 to deal with and rectify Skelton’s fraud and unlawful activities.

In response to civil claims brought against the company by 5,518 claimants, the initial decision found that Morrison had no primary liability. Vicarious liability depended on whether a sufficient connection existed between the actions of Skelton and the “course of [his] employment.”

The court found, that there was a sufficient connection to establish vicarious liability because:

  • An unbroken thread linked Skelton’s employment to the disclosure as a “seamless and continuous sequence of events”;
  • The company deliberately entrusted Skelton with the data during the course of his employment; and
  • The company tasked Skelton with receiving, storing and disclosing the data therefore, his actions (albeit unlawful) were closely related to the task he was given.

The Court of Appeal agreed the company was vicariously liable for the leak. In the ruling, the judges said there had been many instances of data breaches in recent years caused by corporate system failures or negligence by individuals. These might lead to large numbers of claims for “potentially ruinous amounts”.

The Court has suggested that the solution is to insure against such catastrophes, and employers can likewise insure against losses caused by dishonest or malicious employees.

The finding enables the claimants — and other employees — to receive compensation.

Morrison has said it will seek leave to appeal at the Supreme Court, but it is anticipated that an appeal will fail. However, as it is not clear that any employee suffered material loss compensation might be minimal.

The decision has significant implications for all data controllers and data processors. Vicarious liability was established even though, overall, the company had discharged its own obligations as required under the Data Protection Act 1998 and common law.

Organisations now have a far greater duty of care to protect users and prevent the unlawful activities of disgruntled staff. They must be far more careful about what information staff have access to across every part of the business. The case reinforces the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused.

If you have HR queries and problems get in touch!

Sign up for our free resources and free weekly tip - subscribe here.

Phone 0345 644 8955
LinkedIn Russell HR Consulting

DISCLAIMER

Although every effort has been made to ensure the accuracy of the information contained in this blog, nothing herein should be construed as giving advice and no responsibility will be taken for inaccuracies or errors.

Copyright © 2018 all rights reserved. You may copy or distribute this blog as long as this copyright notice and full information about contacting the author are attached. The author is Kate Russell of Russell HR Consulting Ltd.