Supermarket Not Liable for Disgruntled Employee’s Data Breach

It makes a pleasant change to write about something that is not coronavirus, as well as being a sensible outcome.

Andrew Skelton was an internal auditor at Morrisons. Unknown to them he held a grudge arising from a previous disciplinary issue. He deliberately put highly sensitive personal data of about 100,000 of Morrisons employees online and tried to implicate a colleague. The breach was leaked to the press, which alerted Morrisons.

Personal data

Morrisons took immediate and comprehensive steps to limit the damage. Skelton was subsequently convicted and sentenced to eight years imprisonment. However, six thousand of the affected staff made claims against Morrisons based on its alleged vicarious liability for Mr Skelton’s actions.

Vicarious liability can be established against an employer where ‘the employee is engaged, however misguidedly, in furthering his employer’s business’.

Initially the claimants were successful. The High Court and Court of Appeal found that Mr Skelton had been acting in the course of his employment because his role at Morrisons was sufficiently closely connected to his unlawful acts to make Morrisons vicariously liable for them. Morrisons appealed.

However, earlier this month the Supreme Court overturned their decision and allowed Morrison’s appeal. The Lords found that the lower courts had erred in concluding that all that was involved in determining an employer’s vicarious liability was whether there was a ‘temporal or causal connection’ between the employment and the wrongdoing.

The Supreme Court reminded us that the ‘close connection’ test applies only if the wrongful conduct was so closely connected with acts the employee was authorised to do that for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

Whether the employee is acting on the employer’s business or for personal reasons is also relevant for the purpose of determining vicarious liability. In this case, Mr Skelton was authorised to send the payroll data to the company’s auditors. But he was pursuing a vendetta against his employer.

The Court concluded that his wrongful disclosure of the data was not so closely connected with that task that it could fairly and properly be regarded as made by him while acting in the ordinary course of his employment. His motive was therefore crucial in establishing liability. While his employment gave him the opportunity to carry out his rogue act, this was not of itself sufficient to establish vicarious liability.

As many data breaches are caused by malicious actions by employees or ex-employees, this decision will reassure employers.

If you’re an employer with HR queries and problems, get in touch!

Sign up for our free resources and free weekly tip - subscribe here.

Phone 0345 644 8955
LinkedIn Russell HR Consulting

DISCLAIMER

Although every effort has been made to ensure the accuracy of the information contained in this blog, nothing herein should be construed as giving advice and no responsibility will be taken for inaccuracies or errors.

Copyright © 2020 all rights reserved. You may copy or distribute this blog as long as this copyright notice and full information about contacting the author are attached. The author is Kate Russell of Russell HR Consulting Ltd.