0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

innocent employers could be liable for massive-scale data breaches caused by rogue employees

23 October 2018

Innocent employers can be found vicariously liable for data breaches deliberately caused by rogue employees’ criminal actions. Vicarious liability is where an employer is found to be strictly liable i.e. liable despite not being at fault, for the acts or omissions of their employees.

In one of the UK’s first data protection class action cases: Wm Morrison Supermarkets Plc v Various Claimants, the Court of Appeal upheld the decision that Morrisons was vicariously liable for the criminal actions of a former employee.

Andrew Skelton, a former senior IT internal auditor at Morrisons, copied and disclosed the payroll data of almost 100,000 Morrisons employees on the web. This payroll data included their names, contact details, bank details and information about their salaries. Mr Skelton was convicted of fraud in 2015 and sentenced to 8 years in prison. 5,518 of these employees subsequently brought a claim for compensation from Morrisons for the breach, despite not having suffered any financial loss as a result.

Morrisons was found vicariously liable for Mr Skelton’s unlawful acts because:

  • Mr Skelton was acting within the course of his employment when committing the unlawful acts – they were closely related to the task he was appointed to do, which was transfer the payroll data to KPMG for an external audit
  • although the disclosure was made from his home, it was part of an unbroken chain of events including the wrongful acts, which were within the field of activities assigned to him as an employee of Morrisons.

The court recognised that a novel feature of this case was Mr Skelton’s vindictive motive; he held a grudge against Morrisons and deliberately orchestrated this data breach in order to harm them specifically. Morrisons argued that finding them vicariously liable in these circumstances would "render the court an accessory in furthering Mr Skelton’s criminal aims"1. However, the court maintained that the motive of the employee has always been irrelevant in vicarious liability cases, citing Mohamud v William Morrison Supermarkets plc [2016] UKSC 11 and Lister v Hesley Hall Ltd [2002] A.C where the motive was the employee’s personal racism and gratification respectively, and that this case was no exception.

The court accepted that Morrisons was innocent in respect to the data breach. It was however found that because there was no organised system for the deletion of data stored on employees computers outside of the usual secure systems, Morrisons fell short of their duty under data protection laws to take appropriate organisational measures to guard against unlawful disclosure and data loss, the court held that this failure "neither caused nor contributed to the disclosure which occurred"2. Morrisons could not have done anything more to prevent the breach from happening, yet are held vicariously liable because as an employer, in appointing Mr Skelton as their employee, they took the unavoidable risk that they might be wrong in placing him in such a position of trust, and hence must be held responsible for his breach of that trust.

Vicarious liability is supposedly a ‘fair’ solution for claimants who might not otherwise have been able to recover compensation from the individual wrongdoing employee. Their employer doubtless has a ‘deeper pocket’ than the employee, and is hence is likely to be in a better position to compensate the claimant.

Morrisons have stated their intention to appeal the decision to the Supreme Court in due course.

In light of this decision, Employers must be aware that they may be liable to potentially masses of claimants for data breaches caused by rogue employees, even when they were not primarily at fault and it is accepted that they could have done nothing to prevent them from happening. 

Employers should therefore do everything in their power to ensure employees, especially those who regularly handle confidential data, are unable to get round their systems to steal and disclose data. 

This is an incredibly onerous burden to place on employers and it is likely to be impossible for employers to prevent these potentially massive scale data breaches occurring altogether. As we have seen, compliance with data protection laws will not necessarily be enough. It is therefore imperative that employers insure against losses caused by rogue employees, as well as making sure they have sufficient technical and organisational preventative security measures in place under GDPR. 

You might also be interested in...

We have recently looked at the obligations upon employers following the recent Bupa case here.

And looked at a recent (failed) attempt to bring a class action (and what you need in order to bring a successful GDPR class action) here.

1  Wm Morrison Supermarkets Plc v Various Claimants [2017] EWHC 3113 (QB) at [75]

Wm Morrison Supermarkets Plc v Various Claimants [2017] EWHC 3113 (QB) at [25]

related opinions

Does a breach of an obligation in an agreement for lease allow the tenant to refuse to complete the lease?

A tenant who does not want to be forced to complete a lease if an obligation in the agreement for lease is breached must provide expressly for this in the agreement.

View blog

Brexit: Accounts and financial reporting – have you assessed the possible impact on your business?

Despite all of the media attention around Brexit, very little is being said about the effect of Brexit on the accounting and financial reporting requirements for businesses operating cross-border.

View blog

Could suspension of an employee pending an investigation amount to a breach of their employment contract?

The Court of Appeal recently provided authoritative guidance on disciplinary suspensions including on whether the suspension of an employee facing serious allegations, pending an investigation, could amount to a repudiation of their employment contract.

View blog

Landlord and tenant inspections - getting the evidence right

In Rogerson v Bolsover District Council (2019) the Court of Appeal found against a local authority landlord pursuant to the Defective Premises Act 1972 following a finding of an inadequate inspection regime.

View blog

mailing list sign up

Select which mailings you would like to receive from us.

Sign up