Is an employer liable for deliberate data breaches by a disgruntled employee?
No, declared the Supreme Court in a decision handed down yesterday (1 April).
The case related to an employee of Morrisons, Andrew Skelton, who had intentionally leaked the personal data of thousands of his colleagues and whether Morrisons should be held vicariously liable for his actions.
Employers can be liable for torts committed by an employee if there is a sufficient connection between the employment and the wrongdoing.
Skelton worked as an IT internal auditor and in late 2013, in the course of his duties, transferred payroll information in respect of nearly 100,000 employees to the company's auditors. At the same time he also downloaded a copy for personal use onto a USB stick.
Early in 2014, and still aggrieved at an unrelated disciplinary sanction given to him the previous summer, Skelton uploaded, in his own time, the payroll data to a public file sharing website. The data disclosed included employees' names, addresses, telephone numbers and bank details.
Subsequently he sent the same information to three newspapers. One newspaper contacted Morrisons which then took immediate action to remove the online data and inform the police. Skelton was imprisoned for eight years and Morrisons spent over £2.26m dealing with the aftermath of the breach.
A number of employees brought a claim under the Data Protection Act 1998 (now replaced by the Data Protection Act 2018) against Morrisons alleging that it was either directly or vicariously liable for Skelton's actions.
The High Court held that Morrisons was not primarily responsible for the breaches, but was vicariously liable on the basis that there was a sufficient connection between Skelton's role and his conduct. Morrisons appealed on two grounds:
· That Skelton did not act in the course of his employment – he had uploaded and shared the personal data in his own time in pursuit of a personal grudge.
· The DPA excluded any scope for liability on an employer for wrongful processing of personal data by an employee and therefore it was implicit that there could not be any vicarious liability.
The Court of Appeal upheld the decision of the High Court and Morrisons appealed to the Supreme Court.
The Supreme Court unanimously held that Skelton did not act in the ordinary course of his employment and that it would be unfair and improper to hold otherwise.
The fact that his employment gave him the opportunity to commit wrongdoing was not sufficient, in the Court’s view, to make Morrisons vicariously liable.
An employer would not usually be vicariously liable where the employee is pursuing a personal grudge outside their field of activities for the employer rather than pursuing their employer's business.
Although this meant Morrisons won, the Court on the other hand did conclude that the DPA, which is silent about an employee who goes on to act as a "data controller" in this way, does not exclude vicarious liability. This is an important caveat to the outcome, because it does leave the door open for such claims to be brought in the future.
While this judgment is case-specific, it will provide some comfort to employers knowing that they are unlikely to be held vicariously liable for rogue data breaches committed by their employees in their own time for purely personal reasons with malicious intent.
However, employers should not be complacent. It is clear from the judgment that employers can be held vicariously liable for data breaches by their employees if the connection with their work is strong enough.
The judgement referred to a case where the employer was held vicariously liable for assaulting an employee at an after work social event because he was asserting his authority over work-related matters. A closer connection with Skelton's work could have led to a different result.
To minimise the risk of such a breach and to protect their organisation, employers should ensure they have a clear and up-to-date Data Protection Policy, Staff Privacy Notice and Appropriate Policy Document.
In particular the latter requires employers to consider and implement additional security measures for particularly sensitive information so that employees' personal data is held and transferred securely. The risk of not doing so is not only financial but also reputational.
Vicky Schollar is an associate at Blake Morgan LLP's Employment law team