We speak your language

0330 0947777

Oct 26th, 2018

Supermarket vicariously liable for data breach by employee

Can an employer be vicariously liable for the wrongful act of an employee, even where the act was a criminal offence and the motive was to cause harm to the employer?

Yes, according to the Court of Appeal in WM Morrison Supermarkets PLC v Various Claimants.

This case followed a security breach whereby Mr Skelton, an employee of Morrisons, leaked the personal data of around 100,000 colleagues, in a deliberate attempt to harm the employer. He had a personal grudge after receiving a disciplinary warning. Mr Skelton was jailed for 8 years for his offences.

The employees whose information had been disclosed brought a claim against Morrisons.

Primary liability

The claim for primary liability against the employer was dismissed.

Mr Skelton was a senior IT internal auditor and therefore had direct access to the information to carry out his duties, so the employer could not have ensured that he did not copy the information onto his own personal USB stick. Morrisons did not directly misuse, authorise or permit the breach.

Vicarious liability

Controversially, the Court held that the employer was vicariously liable for the conduct of Mr Skelton, as there was a “sufficiently close connection” between his actions and his employment. The Court found there was a seamless and continuous sequence of events that linked his employment to the disclosure:

  • Mr Skelton’s job role entrusted him with the data and when he received the information he was acting as an employee. 
  • The act, sending out the claimants’ data in an unauthorised way, was closely related to what Mr Skelton had been tasked to do: receive, store and disclose information to a third party.
  • The fact that Mr Skelton did so outside of his employment - at home, using personal equipment, and on a non-working day - did not disengage the employer. 
  • The fact that Mr Skelton’s motive was to cause harm to Morrisons, by way of financial and reputational damage, was irrelevant; it did not amount to an exception to the principles of vicarious liability.

Morrisons are appealing to the Supreme Court.

What does this mean for employers?

Employers need to be aware that they can be vicariously liable for the acts of an employee when there is a sufficiently close connection between the employee’s actions and their employment, even if the motive of the employee is to deliberately cause financial or reputational damage to the employer.

The Court of Appeal recommended insuring against such events; we do not know to what extent such products might be available.

This case arose around data protection laws, so employers should ensure they have appropriate processes in place and all employees are trained on their responsibilities, in accordance with the GDPR principle of accountability.

For advice on any of the above matters, please do not hesitate to contact a member of the Langleys Employment Team.

<< back to news and articles