Employer Liable for Employee’s Data Breach
Morrison Supermarkets hit the headlines recently but almost certainly not the sort of positive pre-Christmas publicity they would have hoped for. In a decision that could have major implications for employers, not only in respect of data breaches but also extending out the circumstances in which an employer will be liable for the action of its employees, the High Court held that Morrisons as the employer, was vicariously liable for the actions of one its employees who disclosed the personal information of colleagues on the internet.
The employee in question, Andrew Skelton held a senior position at Morrisons headquarters. He was aggrieved in relation to disciplinary action that had been taken against him. This appears to have prompted him at the beginning of 2014, to download to a file sharing website a large amount of workers payroll data, including names, addresses bank account details and salaries. This was no low level data breach with Mr Skelton estimated to have disclosed the details relating to almost 100,000 Morrisons employees.
Mr Skelton was arrested and charged with a number of criminal offences including fraud. He was convicted and sentenced to eight years in prison. However, it doesn’t end there. Unsurprisingly, given the amount of personal data that was disclosed, a group of 5000 plus current and former employees have brought a class action claim against Morrisons, with claims including misuse of private information and breach of confidence.
Whilst a number of the claims were not successful, the High Court did find that the supermarket giant was vicariously liable for Mr Skelton’s actions in misusing the information and breaching confidence. Central to this decision, was the High Court’s finding that Mr Skelton was acting in the course of his employment when he disclosed the information. This may well come as a surprise to many employers as clearly Morrisons did not tell him to disclose such information or would see that as part of his role. This is even more so, given that the disclosure was made when Mr Skelton was at home, outside working hours and using his own computer equipment.
Nonetheless, the court was of the view that there was sufficient connection between his employment and his actions. In reaching that conclusion, the Courts assessment was that Morrisons had chosen to trust Mr Skelton and they took the risk that such trust was misplaced.
We understand that Morrisons are likely to appeal the decision so it may be some time before the final outcome is known and what, if any, compensation the employees will be awarded. In the meantime, employers need to be aware that ultimately they could be held liable for the misconduct of their employees in circumstances where it may not think that an employee could be acting in the course of their employment.
The impact of data breaches such as Mr Skelton’s are likely to increase in importance once the General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Under GDPR, organisations will be under a positive obligation to report data breaches within 72 hours. With fines of up to £17 million or 4% of annual worldwide turnover, data breaches of employee information are likely to expose an organisation to fines, as well as class actions from employees.