0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

Forgotten your password?

Innocent employers could be liable for massive-scale data breaches caused by rogue employees

23 October 2018

Innocent employers can be found vicariously liable for data breaches deliberately caused by rogue employees’ criminal actions. Vicarious liability is where an employer is found to be strictly liable i.e. liable despite not being at fault, for the acts or omissions of their employees.

In one of the UK’s first data protection class action cases: Wm Morrison Supermarkets Plc v Various Claimants, the Court of Appeal upheld the decision that Morrisons was vicariously liable for the criminal actions of a former employee.

Andrew Skelton, a former senior IT internal auditor at Morrisons, copied and disclosed the payroll data of almost 100,000 Morrisons employees on the web. This payroll data included their names, contact details, bank details and information about their salaries. Mr Skelton was convicted of fraud in 2015 and sentenced to 8 years in prison. 5,518 of these employees subsequently brought a claim for compensation from Morrisons for the breach, despite not having suffered any financial loss as a result.

Morrisons was found vicariously liable for Mr Skelton’s unlawful acts because:

  • Mr Skelton was acting within the course of his employment when committing the unlawful acts – they were closely related to the task he was appointed to do, which was transfer the payroll data to KPMG for an external audit
  • although the disclosure was made from his home, it was part of an unbroken chain of events including the wrongful acts, which were within the field of activities assigned to him as an employee of Morrisons.

The court recognised that a novel feature of this case was Mr Skelton’s vindictive motive; he held a grudge against Morrisons and deliberately orchestrated this data breach in order to harm them specifically. Morrisons argued that finding them vicariously liable in these circumstances would "render the court an accessory in furthering Mr Skelton’s criminal aims"1. However, the court maintained that the motive of the employee has always been irrelevant in vicarious liability cases, citing Mohamud v William Morrison Supermarkets plc [2016] UKSC 11 and Lister v Hesley Hall Ltd [2002] A.C where the motive was the employee’s personal racism and gratification respectively, and that this case was no exception.

The court accepted that Morrisons was innocent in respect to the data breach. It was however found that because there was no organised system for the deletion of data stored on employees computers outside of the usual secure systems, Morrisons fell short of their duty under data protection laws to take appropriate organisational measures to guard against unlawful disclosure and data loss, the court held that this failure "neither caused nor contributed to the disclosure which occurred"2. Morrisons could not have done anything more to prevent the breach from happening, yet are held vicariously liable because as an employer, in appointing Mr Skelton as their employee, they took the unavoidable risk that they might be wrong in placing him in such a position of trust, and hence must be held responsible for his breach of that trust.

Vicarious liability is supposedly a ‘fair’ solution for claimants who might not otherwise have been able to recover compensation from the individual wrongdoing employee. Their employer doubtless has a ‘deeper pocket’ than the employee, and is hence is likely to be in a better position to compensate the claimant.

Morrisons have stated their intention to appeal the decision to the Supreme Court in due course.

In light of this decision, Employers must be aware that they may be liable to potentially masses of claimants for data breaches caused by rogue employees, even when they were not primarily at fault and it is accepted that they could have done nothing to prevent them from happening. 

Employers should therefore do everything in their power to ensure employees, especially those who regularly handle confidential data, are unable to get round their systems to steal and disclose data. 

This is an incredibly onerous burden to place on employers and it is likely to be impossible for employers to prevent these potentially massive scale data breaches occurring altogether. As we have seen, compliance with data protection laws will not necessarily be enough. It is therefore imperative that employers insure against losses caused by rogue employees, as well as making sure they have sufficient technical and organisational preventative security measures in place under GDPR. 

You might also be interested in...

We have recently looked at the obligations upon employers following the recent Bupa case here.

And looked at a recent (failed) attempt to bring a class action (and what you need in order to bring a successful GDPR class action) here.

1  Wm Morrison Supermarkets Plc v Various Claimants [2017] EWHC 3113 (QB) at [75]

Wm Morrison Supermarkets Plc v Various Claimants [2017] EWHC 3113 (QB) at [25]

Related opinions

Flexible working, childcare and indirect sex discrimination – important reminder

The courts have long recognised that, on a societal level, women bear a greater burden of childcare responsibilities than men which can make it more difficult for women to comply with employer requirements for flexible working (known as the ‘childcare disparity’).

View blog

Ban on commercial evictions extended

Stephen Barclay the Chief Secretary to the Treasury has today announced that the ban on commercial evictions is to be extended to 25 March 2022.

View blog

Insolvency applicants: getting the basics right

A number of interesting developments have emerged from what was quite a run-of-the-mill insolvency application brought by a litigation funder assignee.

View blog


The new Part A1 moratorium was introduced partly in response to the Covid-19 pandemic and its impact on businesses. The moratorium is not intended to be used to simply delay the inevitable insolvency of a company, but rather to allow breathing space for that company to restructure and/or achieve an effective rescue.

View blog

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up