Is an employer vicariously liable for data breaches made by rogue employee?

Is an employer vicariously liable for data breaches made by rogue employee?

On 1st December 2017 the High Court handed down a landmark ruling, in the case of, Various Claimants v Wm Morrison’s Supermarket PLC. This case may well be the largest group litigation to come before the courts in relation to, “leaked personal data” liability.

In summary the central issues in the case were, whether Morrison’s could be held liable for breach of the Data Protection Act 1998 (DPA) on the basis of:

  • Its own failure as data controller to ensure that employee data was processed in accordance with the DPA principles and/or
  • Its vicarious liability, for the criminal online disclosure of personal payroll details pertaining to almost 100,000 employees, by a rogue employee.

The High Court ruled that Morrison’s was vicariously liable for the criminal actions of its employee (Mr Skelton). However, it dismissed claims that Morrison’s either by its own conduct breached the DPA or that it was responsible for any misuse of private information and breach of confidentiality.

The case was referred to another hearing to assess how much compensation should be awarded to the 5,518 employees involved in the group action. Given the sheer magnitude of the financial implications arising from this ruling it’s highly probably that Morrison’s will appeal the decision.

How did Morrison’s get into this situation?

Morrison’s employed a senior IT auditor, Mr Skelton, who unbeknown to Morrison’s ran a small business via E-bay selling a legal slimming drug, Phenylalanine. That drug had similar properties to an illegal drug, called Amphetamine and when in powder form, was also white. During May 2013 Mr Skelton placed a personal pre-paid package in the supermarket’s post room, for forwarding to a customer who had purchased the slimming drug.  The package contained a customer order for the white powdery slimming product, Phenylalanine. Somehow, that package came open in the post room and the Phenylalanine, (“white powder”) was discovered. This caused quite a disturbance in the post room, as it was assumed that the white substance was an illegal drug. The police were called and Mr Skelton was suspended from work whilst investigations ensued. 

Initial testing at the police station determined that the white powder was the illegal drug Amphetamine. However, subsequent more detailed laboratory testing, later confirmed that the drug was actually the lawful substance Phenylalanine. By the time this issue was resolved Mr Skelton had been absent on suspension for one month. On his eventual return to work as a consequence of the disturbance his conduct had caused in the post room, Morrison’s carried out a disciplinary procedure and issued him with a verbal warning.  Despite the sanction being minimal Mr Skelton took the stance that it was excessive and appealed the decision. Unsurprisingly, his appeal was rejected.

Following this, “white powder” incident Mr Skelton began to harbour a grudge against his employer.  This bad feeling resulted in him eventually abusing his trusted position when he leaked confidential  employee information pertaining to names, addresses, bank account details, salaries and national insurance numbers of the employees onto the internet and to local newspapers. Notably, he carried out the incident at home on a Sunday (not in work time) but in doing so he was acting contrary to his role and in breach of the DPA.

When Morrison’s was made aware of the breach, they took swift action to remedy the situation but at a cost of almost £2 million in professional and legal fees. As for Mr Skelton he was subsequently jailed for eight years on three charges of fraud, following a criminal hearing held in 2015. It was clear from the evidence heard by the recorder at that criminal hearing that Mr Skelton’s actions were deliberate and calculated as he went to great lengths to hide his tracks by setting up a false email account, purchasing an untraceable pay as you go phone and trying to access a, “deep web” browser to hide his identity. And he did all of this in his bid to create havoc and damage to Morrison’s.

Given the history of this case the final ruling has come somewhat as a double financial blow to Morrison’s. A small window of hope for Morrison’s is that if an appeal is lodged the vicarious liability outcome may have a real possibility of being overturned. Provided that the appeal judge takes on board the concluding remarks made in the High Court judgement as to the fairness of the outcome and whether the judgement was in actual fact making, “the court an accessory in furthering his [Mr Skelton’s] criminal acts”.

What can we learn from this ruling?

As we draw closer to 25 May 2018 and the introduction of the GDPR, with its tougher policing and higher sanctions for data protection breaches; business should take a closer look at who has access to payroll details and other sensitive personal data. In particular, businesses should assess whether these individuals have the potential to criminally misuse data and if so what additional measures can be put in place to protect against this. It may well be worthwhile holding training with staff to enlighten them about the potential criminal sanctions that can be imposed on individuals who commit fraud using personal data belonging to others. 

As always, if you have a legal query please get in touch with the FSB Legal Helpline on 0345 0727727 and we'll be happy to assist you.