25 October 2018

Court of Appeal upholds business’s liability for data breach by rogue employee

WM Morrison Supermarkets plc v Various Claimants [2018] EWCA Civ 2339

In a judgment that will cause businesses to sit up and take note, the Court of Appeal has this week upheld a decision by the High Court that made an employer vicariously liable for a rogue employee’s breaches of confidence and statutory duty. The fact that the breaches were executed by an employee who intended to harm the employer, and no significant fault was levelled at the employer’s policies, procedures or handling of the matter, did not dissuade the Court in finding the employer vicariously liable.

Mr Skelton (Skelton) was a senior IT internal auditor employed by Wm Morrison Supermarkets plc (Morrisons). On 18 July 2013, Skelton was given a formal verbal warning for an incident involving his unauthorised use of Morrisons’ postal facilities for private purposes, leaving Skelton with a grudge.

On 1 November 2013, Morrisons’ external auditor requested a number of categories of data (including payroll data) from Morrisons as part of its annual audit. Skelton was tasked with transferring this data to the external auditor but, in doing so, also transferred the data onto a personal device with a view to later committing a crime consisting of disclosure of the data.

On 12 January 2014, Skelton published the personal details of 99,998 employees of Morrisons on a file sharing website and provided links to the data on other websites. The data contained the names, addresses, gender, dates of birth, contact numbers, national insurance numbers, bank sort codes, bank account numbers and salaries of the employees. To further harm Morrisons, on 13 March 2014, Skelton anonymously sent a CD containing the data and links to its online presence to three UK newspapers, purporting to be concerned that the data was available online.

Morrisons’ head management were alerted to the disclosure on 13 March 2014 by the newspapers, who did not publish the data. Within hours Morrisons took steps to ensure that the website containing the data was taken down and Morrisons alerted the police. Skelton was arrested within a week and was sentenced to eight years’ imprisonment for fraud in July 2015.

On 8 December 2015, 5,518 employees of Morrisons made a claim against Morrisons for misuse of private information, breach of confidence and breach of statutory duty. The trial in the High Court took place between 9 and 19 October 2017.

Although the High Court rejected the claim that Morrisons bore primary liability for Skelton’s wrongdoing, adopting the broad and evaluative approach urged by the Supreme Court in another case involving Morrisons (Mohamud v Morrisons [2016] UKSC 11), that provides a precedent that an employee’s motive is irrelevant in cases of vicarious liability, the High Court ruled that there was sufficient connection between Skelton and his employment to hold Morrisons vicariously liable for his acts.

In this week’s ruling, the Court of Appeal has ratified the High Court’s decision and agreed that, as Skelton received the data whilst he was acting as an employee of Morrisons and his role was to transfer the data to an albeit specified third party, there was sufficient connection between Skelton’s actions and what he had been tasked to do to hold Morrisons vicariously liable. This was deemed the case despite the online disclosure being completely unauthorised and made by Skelton from home, on a non-working day, using personal equipment.

The Court of Appeal deemed Skelton’s actions as ‘seamless and continuous’ and ‘an unbroken chain of events’ in connection with his employment. Although, perhaps relatively unique to the case, Skelton’s intention was to cause financial or reputational damage to his employer, the Courts have not accepted that an exception should be made to the precedent in Mohamud that an employee’s motive is irrelevant in cases of vicarious liability. In Mohamud, the judge remarked that “[t]he risk of an employee misusing his position is one of life’s unavoidable facts”.

The Court of Appeal acknowledged that the finding of vicarious liability in situations such as this may lead to a large number of claims against an unfortunate company for potentially ruinous sums and suggested that the solution is for employers to insure against losses caused by dishonest or malicious employees.

Practical steps which businesses can take to limit exposure

Although vicarious liability is highly fact specific, it is clear from the Court of Appeal’s decision in this case that there is no silver bullet for businesses to absolve themselves of vicarious liability in civil claims arising from their employees’ handling of personal data, malicious or otherwise.

That said, there are practical steps which businesses should be taking to reduce the likelihood of things going wrong, and their impact if they do, some of which are summarised below:

    1. Narrow the amount of personal data provided to employees to only that which is essential for them to do their job.
    2. Ensure that business policies and procedures are up to date and that any staff who handle, or may come across, personal data have the relevant level of training in both data protection and applicable policies and procedures.
    3. As far as practicable, limit the ways in which personal data can be transferred from and between devices.
    4. Consider the business’ security breach handling plans to ensure that you are ready to respond to a data breach situation efficiently and expeditiously.
    5. Seek appropriate insurance to protect against the misdeeds of staff.