This week, the Court of Appeal delivered a worrying verdict for employers in the UK’s first data leak group action.
The case of WM Morrison Supermarkets Plc v Various Claimants has the potential to open the floodgates for an increasing number of employers being held to account for their employees’ behaviour.
In upholding the verdict of the High Court, the Court of Appeal has made it possible for employers to be found vicariously liable for the actions of rogue employees – even in situations where they’ve taken preventive steps and aren’t criminally liable for the employee’s actions.
The Court of Appeal found in the favour of a group of employees who claimed that they had suffered loss following a leak of their personal data.
The case involved Mr Skelton, a senior IT internal auditor employed by Morrisons supermarket. In 2013, he received a formal verbal warning for unauthorised use of company posting facilities for private purposes, which left him with a grudge against his employer.
Later in 2013, Mr Skelton requested payroll data from Morrisons’ HR team. His request was legitimate, as he needed to pass the data onto Morrisons’ external auditors. A member of the HR team copied the data onto an encrypted USB stick, which he then downloaded onto his laptop and copied onto another encrypted USB stick. He passed the encrypted USB stick on to the external auditors, but also copied the data onto his own personal USB stick.
Skelton then took the data – which included the personal details for 99,998 employees – and posted them onto a file sharing website. He later sent a CD containing a copy of the data to three newspapers, just as the company was preparing to announce its annual financial results.
Morrisons’ management were alerted to the disclosure by the newspapers involved and acted quickly to get the data taken down from the file sharing websites. Mr Skelton was later arrested and convicted of fraud, unauthorised access to computer material, and disclosing personal data, and sentenced to eight years in prison.
The Court of Appeal found that there was a seamless and continuous sequence of events that linked Mr Skelton’s employment to the disclosure. The connection between Mr Skelton’s actions and his employment were sufficient enough for Morrisons to be held vicariously liable for his conduct.
Many employers will be surprised to hear that they could find themselves on the hook for the malicious actions of a disgruntled employee, and that they could be found vicariously liable – even when the employee is convicted of a criminal offence.
Arguably, the Court of Appeal’s findings were based on well-established principles and, therefore, Morrisons should have expected to bear the risk and assume responsibility for his wrongdoing.
Employers considering the consequences of this decision are likely to look to minimise risk and reduce exposure to these types of threats. This may involve shifting risk to third-party insurers, but they should also look at their procedures for monitoring staff who have access to, and deal with, personal data, making sure they have policies and procedures in place that protect themselves, as well as their staff and customers.
Understandably, Morrisons were disappointed with the decision, as they were quick to remove the data from the file sharing sites and provide protection for affected colleagues. They believe, and I’m sure many will agree, that they should not be held responsible and have therefore vowed to appeal the decision to the Supreme Court, whose decision will be eagerly anticipated.