0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

innocent employers could be liable for massive-scale data breaches caused by rogue employees

23 October 2018

Innocent employers can be found vicariously liable for data breaches deliberately caused by rogue employees’ criminal actions. Vicarious liability is where an employer is found to be strictly liable i.e. liable despite not being at fault, for the acts or omissions of their employees.

In one of the UK’s first data protection class action cases: Wm Morrison Supermarkets Plc v Various Claimants, the Court of Appeal upheld the decision that Morrisons was vicariously liable for the criminal actions of a former employee.

Andrew Skelton, a former senior IT internal auditor at Morrisons, copied and disclosed the payroll data of almost 100,000 Morrisons employees on the web. This payroll data included their names, contact details, bank details and information about their salaries. Mr Skelton was convicted of fraud in 2015 and sentenced to 8 years in prison. 5,518 of these employees subsequently brought a claim for compensation from Morrisons for the breach, despite not having suffered any financial loss as a result.

Morrisons was found vicariously liable for Mr Skelton’s unlawful acts because:

  • Mr Skelton was acting within the course of his employment when committing the unlawful acts – they were closely related to the task he was appointed to do, which was transfer the payroll data to KPMG for an external audit
  • although the disclosure was made from his home, it was part of an unbroken chain of events including the wrongful acts, which were within the field of activities assigned to him as an employee of Morrisons.

The court recognised that a novel feature of this case was Mr Skelton’s vindictive motive; he held a grudge against Morrisons and deliberately orchestrated this data breach in order to harm them specifically. Morrisons argued that finding them vicariously liable in these circumstances would "render the court an accessory in furthering Mr Skelton’s criminal aims"1. However, the court maintained that the motive of the employee has always been irrelevant in vicarious liability cases, citing Mohamud v William Morrison Supermarkets plc [2016] UKSC 11 and Lister v Hesley Hall Ltd [2002] A.C where the motive was the employee’s personal racism and gratification respectively, and that this case was no exception.

The court accepted that Morrisons was innocent in respect to the data breach. It was however found that because there was no organised system for the deletion of data stored on employees computers outside of the usual secure systems, Morrisons fell short of their duty under data protection laws to take appropriate organisational measures to guard against unlawful disclosure and data loss, the court held that this failure "neither caused nor contributed to the disclosure which occurred"2. Morrisons could not have done anything more to prevent the breach from happening, yet are held vicariously liable because as an employer, in appointing Mr Skelton as their employee, they took the unavoidable risk that they might be wrong in placing him in such a position of trust, and hence must be held responsible for his breach of that trust.

Vicarious liability is supposedly a ‘fair’ solution for claimants who might not otherwise have been able to recover compensation from the individual wrongdoing employee. Their employer doubtless has a ‘deeper pocket’ than the employee, and is hence is likely to be in a better position to compensate the claimant.

Morrisons have stated their intention to appeal the decision to the Supreme Court in due course.

In light of this decision, Employers must be aware that may be liable to potentially masses of claimants for data breaches caused by rogue employees, even when they were not primarily at fault and it is accepted that they could have done nothing to prevent them from happening. 

Employers should therefore do everything in their power to ensure employees, especially those who regularly handle confidential data, aren’t able to get round their systems to steal and disclose data. 

This is an incredibly onerous burden to place on employers and it is likely to be impossible for employers to prevent these potentially massive scale data breaches occurring altogether; as we have seen, compliance with data protection laws will not necessarily be enough. It is therefore imperative that employers insure against losses caused by rogue employees, as well as making sure they have sufficient technical and organisational preventative security measures in place under GDPR. 

We have recently looked at the obligations upon employers following the recent Bupa case here.

And looked at a recent (failed) attempt to bring a class action (and what you need in order to bring a successful GDPR class action) here.


1  Wm Morrison Supermarkets Plc v Various Claimants [2017] EWHC 3113 (QB) at [75]

Wm Morrison Supermarkets Plc v Various Claimants [2017] EWHC 3113 (QB) at [25]

related opinions

Justice must be seen to be done - by video link?

The modernisation of the civil justice system will take a step forward this month with the introduction of a pilot scheme to determine applications via video link.

View blog

Confidentiality is not an automatic defence to disclosure

Even documents containing confidential information can become disclosable in a procurement challenge.

View blog

Part-time judges entitled to backdate judicial pensions

Part-time judges to be entitled to count years served prior to the Part-time Workers Directive 98/23 extending Directive 97/81 being transposed on 7 April 2000.

View blog

ECJ ruling: workers may be entitled to payment in lieu

It is accepted that accrued holiday could be paid in lieu upon termination of employment. Likewise, holiday can be carried over to the next year in some circumstances such as where an employee cannot take annual leave due to being on maternity leave.

View blog

mailing list sign up



Select which mailings you would like to receive from us.

Sign up