Could an employer be liable for a malicious data breach by an employee?

A recent Court of Appeal decision highlights the risk that data controllers will be found liable for damages due to a data breach of a rogue employee

In Wm Morrison Supermarkets Plc v Various Claimants, the Court of Appeal upheld the decision of the High Court that Morrisons was vicariously liable for the deliberate disclosure of the personal data of thousands of employees on the internet.

Mr Skelton was a senior IT internal auditor employed by Morrisons. He became disgruntled after receiving a formal verbal warning for a disciplinary issue. As part of his job, he had access to Morrisons' payroll data. He copied this data onto a personal USB stick, planning to disclose the data in order to harm his employer.

In January 2014, he posted the personal details of nearly 100,000 employees of Morrisons on a file sharing website. The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and details of salary. Two months later, he sent a CD containing a copy of the data to three newspapers, pretending to be a concerned person who had discovered that this data was available on the internet.

The newspapers informed Morrisons which took steps to ensure that the website was taken down and informed the police. Mr Skelton faced criminal proceedings and was sentenced to eight years in prison.

Over 5,000 employees brought a class action for damages from Morrisons in the High Court on the basis of the misuse of private information, breach of confidence, and breach of Morrisons' statutory duty to comply with the data protection principles under the Data Protection Act 1998.  

The High Court found that Morrisons had taken proper measures to protect the employees' data (save for some failings in its data deletion practices which would not have prevented the data breach) and could not have known that Mr Skelton was not to be trusted. It therefore found that Morrisons was not directly liable under data protection law. However, it found that there was sufficient closeness between the wrongdoing of Mr Skelton and the tasks he was employed to do, to hold Morrisons vicariously liable for his actions.

The Court of Appeal agreed. It agreed that there was an unbroken chain of planned events linking Mr Skelton's wrongdoing to his employment.

The high level of fines under the General Data Protection Regulation have been much publicised. This case highlights the additional risk that deliberate disclosure of personal data by a disgruntled employee could lead to significant civil damages for vicarious liability, even where an employer has complied with data protection law. The Court of Appeal commented that insurance could be the answer for data controllers, although there are likely to be limits on the extent to which any such public liability or cyber insurance policy would cover legal costs and/or damages awards.

We understand that Morrisons intends to appeal to the Supreme Court.