Morrisons liable for data breach by rogue employee

Supermarket Morrisons faces paying a substantial sum in damages after the Court of Appeal confirmed it was liable for a data breach deliberately carried out by an employee.

Andrew Skeleton was entrusted with handing over the payroll data of almost 100,000 Morrisons employees to auditors. Skelton, however, had a grudge against the company after it took disciplinary action against him for using the Morrisons mailroom to send out a slimming drug – and a package split, spilled an unidentified white power and caused alarm.  To further his grudge, Skelton copied the payroll data, posted it online and sent it to newspapers. The police were alerted and he was convicted of fraud and offences under the Computer Misuse Act and the Data Protection Act and sentenced to 8 years in prison.

A group of 5,518 employees brought proceedings against Morrisons for breach of the Data Protection Act, breach of confidence and misuse of private information. The judge held that although Mr Skelton and not Morrisons was the ‘data controller’ of the data when he posted it online, Morrisons was still vicariously liable for his actions.

Vicarious liability is the legal mechanism whereby employers are found liable for wrongs committed by their employees.  It has been applied in a wide range of circumstances, including where the employees were doing things that they were obviously not supposed to, for example where the warden of a school boarding house sexually abused boys in his care.  It had not, until now, been applied to data protection claims.

Morrisons appealed to the Court of Appeal, arguing that data protection legislation only applies to data controllers, and that in relation to security measures a data controller only had to comply with the 7th data protection principle, which requires it to take appropriate technical and organisational measures to prevent unlawful access to personal data.  Morrisons also argued that compensation is only available where the data controller has failed to take reasonable care to comply with the law – which it said it had done.

This contrasts with the position in vicarious liability which in effect imposes strict liability, i.e. even if the employer has taken reasonable care they will still be liable for a careless, negligent or malicious employee’s actions.

Morrisons also sought to argue that data protection legislation had superseded the law on breach of confidence and misuse of private information such that there was no longer room for vicarious liability in those causes of action.

The Court rejected these arguments. The fact that there is a different standard of strict liability where an employer is vicariously liable for their employee’s actions, is the position across the board, not just in data protection.

There is nothing in the Data Protection Act to suggest Parliament intended to exclude people from bringing claims in misuse of private information/breach of confidence as well as under the Act, nor that it intended vicarious liability not to apply, and the judge was right to find that it should.

As Mr Skelton was entrusted with the payroll data as part of his job there was a sufficient connection with his employment for vicarious liability to apply. His motive of hurting the company was not relevant.  Concerns about the costs to business could not affect the decision and in any event could be mitigated by insurance.

Morrisons has said it intends to appeal to the Supreme Court.

Both this Court of Appeal decision and the judge’s initial decision have caused considerable concern in data protection circles given that the Information Commissioner had declined to take any action against Morrisons, and the Court itself found that the only breach of the 7th data protection principle did not cause the damage complained of. However, this is simply a demonstration of the difference between regulatory action, and the position before a court.

This case suggests that where there has been a data breach, even if carried out by a rogue employee, the company may well be liable, and those affected may be able to seek compensation.