A landmark ruling has overturned a Court of Appeal decision, finding that the supermarket Morrisons is not vicariously liable for an employee’s deliberate disclosure of the personal data of co-workers.
The employee, Andrew Skelton, was a former senior internal auditor, and was said to be acting on “a grudge” when he leaked payroll data for more than 100,000 Morrisons workers, resulting in thousands of Morrisons staff making claims against the supermarket.
The Supreme Court judgment overturned a previous Court of Appeal ruling that, if upheld, would have significantly extended employers’ liability for data breaches, even in cases where an employee’s actions are criminal and they actively attempt to hide their wrongdoing.
In this case, Supreme Court president Lord Reed explained that the company should not be held accountable for Mr Skelton’s “personal vendetta” against the business, as he had received a disciplinary a month earlier. As Lord Reed explained, businesses can only be held liable for the actions of staff if they are linked to their daily duties.
Julia Wilson, partner in the employment practice at Baker McKenzie, said:
“The previous Court of Appeal decision had stretched the concept of an employer’s vicarious liability for its employees very far, to hold an employer liable for the acts of an employee who was pursuing a personal vendetta outside the workplace, and had deliberately tried to hide his wrongdoing. In this case, the wrongdoing was a data breach and the unlawful release of personal data of over 125,000 Morrisons employees. Whilst often the vicarious liability of an employer has limited effects (usually owing liability to one or a small handful of employees), in this case the data breach element amplified the risk to Morrisons – who faced over 9,000 claimant employees in the end. If the Court of Appeal decision had been upheld, the level of damages Morrisons might have faced would be huge. The Supreme Court has overturned the Court of Appeal’s decision, finding that the wrongdoer’s actions were not sufficiently closely connected with his employment that Morrisons should be liable for them.
“There is a sting in the tail: the Supreme Court considered whether an employer could be vicariously liable for data breaches at all under data protection law. They have decided that an employer can be liable, and data breaches are daily news. So, in situations where an employee commits a data breach which is found to be ‘in the course of employment’, the employer can be liable.”