Supermarket Morrisons found liable for data breach by disgruntled worker in the course of his job
In the first-ever group litigation for a data breach to come before the courts, the High Court in various Claimants v Wm Morrisons Supermarkets Plc (2017) has found Morrisons vicariously liable for the leak of almost 100,000 employees’ details by a disgruntled ex-employee, Andrew Skelton.
Skelton was employed by the supermarket chain as a senior IT internal auditor. In 2014 he downloaded payroll data to a USB stick and posted a file online containing the National Insurance numbers, dates of birth, addresses, salaries and bank account details of approximately 100,000 of his fellow employees. In 2015 Skelton was found guilty of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 and sentenced to eight years imprisonment.
Morrisons was awarded £170,000 in compensation as a result of the data breach.
During his trial the court heard that Skelton held a grudge against his employer after he received a warning for using the company’s post room to sell items on eBay.
The Crown Court at Skelton’s criminal trial also heard that when Morrisons was informed about the data breach, it acted quickly to take down the leaked information within 24 hours.
Following Skelton’s conviction, a group of more than 5,500 Morrisons’ employees took action to recover compensation for breach of statutory duty under the Data Protection Act, breach of confidence and misuse of private information.
Morrisons denied liability, arguing that the company was not liable either directly or indirectly for Skelton’s criminal misuse of the data and that, as a company, it had already suffered serious damage as it incurred £2m costs as a result of the data breach.
The High Court considered two questions:
1. Was Morrisons directly liable for the breach under the Data Protection Act 1998 or at common law?
2. Should Morrisons be vicariously liable for its ex-employee’s actions?
The court identified only one breach of the DPA by Morrisons, namely that it had not organised the deletion of the data from his work computer. However, judge Langstaff held that the failure did not in itself cause any loss. He said that “Morrisons have not been proved to be at fault by breaking any of the data protection principles, and neither primary liability for misuse of private information nor breach of confidentiality can be established”.
The court, however, held that Morrisons was vicariously liable for the individual’s conduct.
The key test was whether Skelton’s actions were carried out in the course of his employment. The court stated that the disclosure online of the payroll data was connected by time, place and nature from his employment and this was as a result of several reasons, including that Morrisons had deliberately entrusted the employee with the specific payroll data, that the employee was appointed on the basis that he would receive confidential information and that Morrisons took the risk that it might be wrong in placing its trust in him.
The fact that the disclosures were made much later, using his personal equipment outside of working hours, was not substantial enough to break the relationship between the parties.
The court found that there was a sufficient connection between the position in which Skelton was employed and his wrongful conduct to make it right for Morrisons to be held liable. Morrisons has been granted leave to appeal.
- Maxine Orr is a partner specialising in employment law in Worthingtons Commercial Solicitors Belfast