Monday 29th October 2018
The CA has found WM Morrison Supermarkets plc vicariously liable for a payroll data breach resulting from the actions of a disgruntled employee.
Mr Skelton was tasked with providing Morrisons’ external auditor with sensitive payroll data for their annual audit. The data was copied onto an encrypted USB stick, downloaded to Mr Skelton’s encrypted laptop and copied again onto an encrypted USB stick provided by and then given to the auditors. Disgruntled following previous disciplinary action, Mr Skelton subsequently copied the data, which had remained on his laptop, onto a personal USB. He then posted a file containing the sensitive data of thousands of employees on a sharing website, using an account set up with another employee’s identity.
A group of employees claimed compensation arguing Morrisons was vicariously liable, under the Data Protection Act 1998, for Mr Skelton’s actions. Morrisons sought to argue that the DPA does not allow for vicarious liability. The High Court disagreed, holding that there was a “seamless and continuous sequence” or “unbroken chain” of events sufficient to establish the required connection between Mr Skelton’s actions and his employment. The fact that the disclosures were made from home with personal equipment and on a Sunday did not sever the connection. Morrisons appealed.
The CA found that there is no express or implied exclusion in the DPA preventing the possibility of vicarious liability. The CA identified the two elements of the close connection test: did Mr Skelton’s actions fall within the “field of activities” entrusted to him by Morrisons and, if so, was there sufficient connection between the position he held and his wrongful conduct to “make it right” for Morrisons to be held liable?
Morrisons had chosen to entrust Mr Skelton with the payroll data and therefore with ensuring it remained confidential. His role involved receiving and storing confidential payroll data as well as providing it to third parties. The CA agreed that there had been an unbroken chain of events connecting Mr Skelton’s actions to his employment. Morrisons sought to argue that holding them vicariously liable would make the court an accessory in furthering Mr Skelton’s criminal aims. Motive was again held by the CA to be irrelevant in determining vicarious liability. An employer’s protection is to insure itself against such possibilities.
Morrisons has indicated it will appeal to the SC and we will report further developments.
All information in this update is intended for general guidance only and is not intended to be comprehensive, or to provide legal advice.