Morrisons has been found vicariously liable for the actions of a disgruntled former member of staff who posted personal data belonging to Morrisons employees online. The case is significant - both in terms of the number of people impacted by the data breach in the case, but also in respect to the impact of the decision on all employers.
Andrew Skelton was employed by Morrisons as an IT Auditor. In 2014, Mr Skelton disclosed Morrisons' staff payroll data onto the internet. He was found guilty of criminal offences in July 2015 and sentenced to eight year's imprisonment. As part of the criminal trial, evidence came out that Mr Skelton may have been motivated to cause Morrisons harm because of his dissatisfaction with a disciplinary sanction he had received in 2013.
It appears that, whilst performing an IT task, Mr Skelton stole personal data - the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salary - of 100,000 Morrisons employees and posted it online. 5,518 of those employees pursued claims in the High Court for compensation against Morrisons, alleging breach of statutory duty (under the Data Protection Act 1998) and various common law claims (including the tort of misuse of private information).
The Court's Decision
Morrisons was found not to have primary liability for the employees' claims. Whilst it failed to meet its obligation under the Data Protection Act 1998 to take appropriate organisational measures to prevent unlawful disclosure or data loss, the failure could did not cause or contribute to Mr Skelton's breach, because Mr Skelton was determined to deliberately disclose the information. The High Court went on to determine that Morrisons was vicariously liable for Mr Skelton's behaviour, on the grounds that there was a sufficient connection between Mr Skelton's actions and role as an IT auditor at Morrisons.
This decision was based on four factors:
• There was a sequence of events linking Mr Skelton's employment to the data breach. He had been asked to perform an IT audit and subsequently took the action required to upload data to the internet. • Mr Skelton had been deliberately given the data by Morrisons. In his capacity as an IT auditor, Mr Skelton was trusted with confidential information. • Mr Skelton had been tasked with receiving and disclosing the payroll data (albeit the actual disclosure that he made was unauthorised by Morrisons). • When Mr Skelton received the data he did so whilst acting as an employee and the chain of events from receipt of the data until disclosure was not broken.
This decision means that as an employer, you are potentially liable for damage caused by an employee's unlawful data breach. This will be of concern to data controllers. Once the GDPR becomes law on 25 May 2018, fines could be up to 20 million euros or up to 4% of the organisation's total annual worldwide turnover. Morrisons is likely to appeal this decision - watch this space for further update. For further information, please contact Mark Stevens, in our Employment Law team, on 0117 314 5401.
Let us help you
By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business