Rogue employees and data breaches – when is an employer liable?06/04/20
The Supreme Court has determined that an otherwise blameless employer should not be vicariously liable where a rogue employee stole HR information relating to colleagues, as part of a vendetta against his employer.
In Morrisons v Various Claimants, about 9,000 staff had brought a group claim against their employer, Morrisons Supermarkets. This was after an aggrieved employee Mr Skelton (who had legitimate access to their payroll information as part of his work), made a second copy of the payroll data and put it on the dark web a few months later, so as to leave the staff vulnerable to identity fraud. Mr Skelton was arrested and sent to prison for offences under the Computer Misuse Act.
The Courts originally held that Morrisons had sufficient security arrangements in place (and so did not have any direct liability to the employees arising from the theft), but that Morrisons should be responsible for Mr Skelton’s actions because of the circumstances in which they arose. The employees were seeking damages under the Data Protection Act; whilst these would have been relatively low value claims at an individual level, multiplied across 9,000 staff involved in the group litigation, the total value could have been significant.
The Supreme Court has now held that, in light of all the factors, Mr Skelton’s actions were not so closely connected with the acts which he was authorised to do as part of his job that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment. Morrisons therefore was not vicariously liable for his actions. In particular, the Court found his work at Morrisons only provided Mr Skelton with the ‘opportunity’ for the wrongdoing, and the fact that he was pursuing a vendetta against his employer was important.
At a headline level, this case will be welcome for employers faced with the actions of rogue employees leaving their organisation open to data protection claims.
However, there are a number of important points for organisations to take away:
- An employer still needs to have appropriate security measures in place, to satisfy its own obligations under data protection law as a data controller. Organisations should keep their security arrangements under review based on the information they hold and the risks they face. The security measures should be documented and tested, and employers should ensure they are consistently followed;
- Where an employee is processing data solely on behalf of their employer, rather than ‘on a frolic of their own’, the employer will be subject to direct liability. If Mr Skelton had (for instance) negligently lost the information by sending a legitimate copy of the payroll information to an unintended recipient via an unencrypted USB stick in the course of his work (rather than deliberately setting out to making an illegitimate copy to harm his colleagues and Morrisons), Morrison’s could have been responsible for that.
- The Court said that data protection law did not provide for a blanket exclusion of the vicarious liability principle, even in the case of rogue employees. Depending on the facts vicarious liability could still be imposed.
You can read a copy of the judgment here.
How Capsticks can help
Our information law team and claims lawyers are experienced in handling data breaches and cases arising from the loss of sensitive information, as well as broader issues around information governance and risk management. For more information speak to Andrew Latham, Peter Marquand, Anna Walsh or Majid Hassan