Yes, held the Court of Appeal, based on the facts in the case of Various Claimants –v- Wm Morrison Supermarkets PLC.
In certain situations, an employer can be held responsible for the acts, or omissions, of its employees, if they took place in the course of their employment. This is known as Vicarious Liability.
Vicarious liability for the acts of employees is only applicable when those actions arise when an employee is acting in the course of his or her employment.
Mr Skelton worked for Morrisons as a senior IT auditor. In 2013 he was subject to a disciplinary hearing and had been given a formal verbal warning by his employer. He was annoyed by this and held a personal grudge against Morrisons.
Whilst he was still employed Mr. Skelton copied personal and confidential employee data of almost 100,000 Morrisons employees onto his own personal USB stick. Months later, from his home, he posted the data to a file sharing website and tipped off three UK Newspapers of the data breach.
Despite trying to purposely frame a colleague for his criminal act, Mr. Skelton was later arrested and convicted of fraud and offences under the Computer Misuse Act 1990 and under section 55 of the Data Protection Act. He received a sentence of 8 years imprisonment.
Following this, 5,518 employees of Morrisons then brought a claim for damages in the High Court against Morrisons, stating that they were primarily or vicariously liable for Mr. Skelton’s misuse of private information; breach of confidence; and breach of the Data Protection Act.
The High Court held that Morrisons were not primarily liable for Mr. Skelton’s actions, but that they were vicariously liable. However, the Judge gave permission for Morrisons to appeal for the reason that the court proceedings were part of the original crime – in that it was Mr. Skelton’s intention to harm Morrisons, who were now being sued for his criminal acts.
Morrisons appealed on three grounds; the Data Protection Act excludes vicarious liability, the DPA excludes causes of action under the misuse of private information and breach of confidence; and the actions of Mr. Skelton did not occur during the course of his employment, therefore they should not be held vicariously liable.
The court dismissed the first two points of appeal. On the third they agreed with the Judge in the initial hearing that there was enough connection between the wrongful acts of Mr. Skelton and his employment. Mr. Skelton was employed and entrusted with payroll data and although he committed the data breach from home, the court pointed out; “there was an unbroken thread that linked his work to the disclosure: What happened was a seamless and continues sequence of events.”
The court also discounted the fact that Mr Skelton’s motives were to deliberately harm his employer and stated that they were irrelevant.
Points to note
The Court of Appeal took a particularly strict stance on this, especially as an investigation by the Information Commissioners Office (ICO) found that Morrisons had not breached the Data Protection Act.
This failed appeal is also significant in that it highlights that cyber-security threats do not only come from hackers, but employers must also protect themselves from the possibility of rogue employees.
Action to take
- Put in place safeguards, such as strict codes of conduct, to protect against a rogue employee.
- Monitor how sensitive personal data is handled within your organisation and consider introducing a clause to employment contracts with a possible financial deterrent.
- Ensure you have adequate insurance policies in place to cover serious data breaches.
Please feel free to leave a comment, question or observation below. Alternatively get in touch directly: firstname.lastname@example.org