A file containing personal details of nearly 100,000 Morrisons’ employees was secretly and unlawfully posted on a file sharing website by Mr Skelton, an internal auditor, outside working hours and while he was at home, having previously secretly copied the data from his encrypted work laptop onto a personal USB. He had been provided with this data as part of Morrisons’ annual statutory audit process. He then anonymously sent a CD containing a copy of the data to three newspapers, with a message that he had “worryingly discovered” that the payroll data was available on the web. Following a criminal investigation and trial, Mr Skelton was convicted and sentenced to eight years in prison for criminal misuse of the payroll data.
Immediately after Morrisons discovered the breach, it took action to take the website down and to protect the data and any financial loss which might result from the disclosures. Despite this, 5,500 employees brought a claim on the basis that Morrisons was directly liable for Mr Skelton’s act of disclosing the data or, alternatively, it was vicariously liable for his actions.
Dismissing the claim for direct liability for misuse or disclosure of the data, the Court concluded that Morrisons could not reasonably have known that Mr Skelton posed a threat to the employee database, and that the protections it had in place were either sufficient or could not have prevented the disclosures. In relation to vicarious liability, however, the Court concluded that there was sufficient connection between the position in which the individual was employed and his wrongful conduct. In coming to this conclusion, the Court said that the question was not whether Morrisons did anything wrong, but whether, when Mr Skelton did, his actions were closely connected with his employment.
This case has significant implications for all data controllers that use employees or agents to process data. Where individuals can access data there will always be a risk that data may be misprocessed, or even disclosed without authority. The harm caused to an employer from this type of data breach could be substantial, ranging from reputational damage to possible losses suffered by individual employees from identity fraud. Assuming this judgment still stands, and despite the fact Morrisons may have been able to mitigate the Claimants’ loss by acting quickly after the breach was discovered, any compensation could include damages for distress even if there is no direct financial loss suffered.
Data controllers can take precautions to prevent breaches by ensuring the most appropriate and best systems are in place. However, this case shows that this will not always be enough to avoid vicarious liability for the actions of an employee who deliberately and criminally discloses data to harm their employer.