0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

innocent employers could be liable for massive-scale data breaches caused by rogue employees

23 October 2018

Innocent employers can be found vicariously liable for data breaches deliberately caused by rogue employees’ criminal actions. Vicarious liability is where an employer is found to be strictly liable i.e. liable despite not being at fault, for the acts or omissions of their employees.

In one of the UK’s first data protection class action cases: Wm Morrison Supermarkets Plc v Various Claimants, the Court of Appeal upheld the decision that Morrisons was vicariously liable for the criminal actions of a former employee.

Andrew Skelton, a former senior IT internal auditor at Morrisons, copied and disclosed the payroll data of almost 100,000 Morrisons employees on the web. This payroll data included their names, contact details, bank details and information about their salaries. Mr Skelton was convicted of fraud in 2015 and sentenced to 8 years in prison. 5,518 of these employees subsequently brought a claim for compensation from Morrisons for the breach, despite not having suffered any financial loss as a result.

Morrisons was found vicariously liable for Mr Skelton’s unlawful acts because:

  • Mr Skelton was acting within the course of his employment when committing the unlawful acts – they were closely related to the task he was appointed to do, which was transfer the payroll data to KPMG for an external audit
  • although the disclosure was made from his home, it was part of an unbroken chain of events including the wrongful acts, which were within the field of activities assigned to him as an employee of Morrisons.

The court recognised that a novel feature of this case was Mr Skelton’s vindictive motive; he held a grudge against Morrisons and deliberately orchestrated this data breach in order to harm them specifically. Morrisons argued that finding them vicariously liable in these circumstances would "render the court an accessory in furthering Mr Skelton’s criminal aims"1. However, the court maintained that the motive of the employee has always been irrelevant in vicarious liability cases, citing Mohamud v William Morrison Supermarkets plc [2016] UKSC 11 and Lister v Hesley Hall Ltd [2002] A.C where the motive was the employee’s personal racism and gratification respectively, and that this case was no exception.

The court accepted that Morrisons was innocent in respect to the data breach. It was however found that because there was no organised system for the deletion of data stored on employees computers outside of the usual secure systems, Morrisons fell short of their duty under data protection laws to take appropriate organisational measures to guard against unlawful disclosure and data loss, the court held that this failure "neither caused nor contributed to the disclosure which occurred"2. Morrisons could not have done anything more to prevent the breach from happening, yet are held vicariously liable because as an employer, in appointing Mr Skelton as their employee, they took the unavoidable risk that they might be wrong in placing him in such a position of trust, and hence must be held responsible for his breach of that trust.

Vicarious liability is supposedly a ‘fair’ solution for claimants who might not otherwise have been able to recover compensation from the individual wrongdoing employee. Their employer doubtless has a ‘deeper pocket’ than the employee, and is hence is likely to be in a better position to compensate the claimant.

Morrisons have stated their intention to appeal the decision to the Supreme Court in due course.

In light of this decision, Employers must be aware that they may be liable to potentially masses of claimants for data breaches caused by rogue employees, even when they were not primarily at fault and it is accepted that they could have done nothing to prevent them from happening. 

Employers should therefore do everything in their power to ensure employees, especially those who regularly handle confidential data, are unable to get round their systems to steal and disclose data. 

This is an incredibly onerous burden to place on employers and it is likely to be impossible for employers to prevent these potentially massive scale data breaches occurring altogether. As we have seen, compliance with data protection laws will not necessarily be enough. It is therefore imperative that employers insure against losses caused by rogue employees, as well as making sure they have sufficient technical and organisational preventative security measures in place under GDPR. 

You might also be interested in...

We have recently looked at the obligations upon employers following the recent Bupa case here.

And looked at a recent (failed) attempt to bring a class action (and what you need in order to bring a successful GDPR class action) here.


1  Wm Morrison Supermarkets Plc v Various Claimants [2017] EWHC 3113 (QB) at [75]

Wm Morrison Supermarkets Plc v Various Claimants [2017] EWHC 3113 (QB) at [25]

related opinions

Levy restrictions are killing learning

New research published today by the City & Guilds Group reveals that 92% of apprenticeship levy-paying employers want to see greater flexibility in how they can spend their apprenticeship allowance, with the rigidity of the current system holding many back.

View blog

Home Office to modernise right to work checks

In April 2018 a Right to Work Checking Service was launched to allow individuals to demonstrate their right to work in the UK. Individuals are currently able to review their right to work record online and share a code with their employer to allow them to gain access to the record.

View blog

Government proposals announced for new immigration system following Brexit

The Government has published its long awaited White Paper, outlining its proposals for a new immigration system following Brexit.

View blog

The Government’s Good Work Plan published

The Government have claimed it’s the biggest reform of employment law in 20 years but with no draft legislation or even any dates or commitments to legislate, what exactly did the government announce yesterday?

View blog

mailing list sign up



Select which mailings you would like to receive from us.

Sign up