Can employers be vicariously liable? | employee data breach Skip to content
Search

Want to see all Business Services in one place?

View all Business Services

Want to see all Life Services in one place?

View all Life Services

Want to see all Sectors in one place?

View all Sectors

Not sure where to start? Just want to talk to us?

Get in touch

sectors Services

sectors

your business Services

your business

your life Services

your life

About Us

 

Agricultural Land, Farms & Estates

 

Charity Law

 

Education Law

 

In-House Counsel

 

Retail & Leisure

 

Sports Law

 

Agricultural Land, Farms & Estates

 

Banking and Finance

 

Commercial

 

Commercial Mediation

 

Commercial Property

 

Construction

 

Corporate

 

Corporate Restructuring & Insolvency

 

Debt Recovery

 

Disputes

 

Employment

 

Immigration

 

Intellectual Property

 

Notarial

 

Planning

 

Regulations & Compliance

 

Agricultural Land, Farms & Estates

 

Employment

 

Family Law

 

Family Mediation

 

Immigration

 

Notary Public

 

Personal Data

 

Personal Disputes

 

Personal Insolvency

 

Residential Property

 

Safeguarding Vulnerable People

 

Succession Planning

 

Wills, Trusts & Estates

Search

Services

VIEW ALL ()

Resources

VIEW ALL ()

Key Contacts

MEET THE TEAM

Key Contacts

MEET THE TEAM

Results

Results
CLOSE Close

We are delighted to announce that after a massive 8 month refit, No. 1 London Road is now back open for business.

Southampton 023 8048 2482

Winchester 01962 679 777

info@parissmith.co.uk

Do you have a question? Contact us today

×

Claire Merritt, Charlotte Farrell and Tabytha Cunningham | 25th July 2022

Can an employer be vicariously liable for a rogue employee’s data breach?

SHARE

Back to Our Team

Claire Merritt, Charlotte Farrell and Tabytha Cunningham | 25th July 2022

Can an employer be vicariously liable for a rogue employee’s data breach?

Whether or not an employer can be vicariously liable for a rogue employee’s data breach is a key question that is often asked since the GDPR was introduced 4 years ago. In recent years there has been an increased focus on data protection from both businesses and individuals.

The legal test for an employer’s vicarious liability

The legal test is the “close connection test”, which says that in situations where an employee carries out a negligent act, for the employer to be held vicariously liable (i.e. responsible) the act must be closely connected to the work that the employee was employed to do.

In a first of its kind group action, a case against Morrisons by a group of employees made its way through the court system and it was finally decided by the Supreme Court in April 2020, just as the pandemic began to bite. The Supreme Court found, that based on the facts of that case, that Morrisons was not vicariously liable for the actions of its employee in disclosing the pay roll data of 100,000 colleagues onto the internet. It reiterated the position that for an employer to be responsible for an employee’s actions, its actions had to be closely connected to the duties the employee had in their role.

The case had to go all the way through the court system to reach this conclusion though, with the Court of Appeal initially finding that Morrisons was responsible for the employee’s actions which caused concern for employers at risk of finding themselves in a similar situation.

The Facts

Mr Skelton, who released the information, was a senior IT internal auditor employed by Morrisons. His actions were fuelled by a grudge in response to a disciplinary he received for using Morrisons postal facilities for his personal use.

Morrisons asked Mr Skelton to provide payroll data to KPMG, who requested it for external auditing purposes. However, after copying the data onto a USB stick and passing it onto KPMG he also copied it onto a personal USB stick. Subsequently, he released the data onto a file-sharing website and sent copies to newspaper companies. Mr Skelton posted this data on an account which he created under his colleague’s name.

Mr Skelton denied three counts of fraud, but was found guilty and sentenced to eight years in prison in 2015. It is estimated that his actions cost the supermarket around £2million.

The High Court Decision

A group of Morrisons employees alleged that Morrisons had breached the Data Protection Act 1998 which applied at the time. The High Court decided that Morrisons had put in place appropriate and adequate data protection controls and had complied with the Data Protection Act 1998. However, in December 2017, the High Court ruled that Morrisons was still vicariously liable for Mr Skelton’s actions as his employer.

The Court of Appeal Decision

Morrisons appealed on two points.

  • Firstly, it argued that the Data Protection Act 1998 expressly or impliedly excludes employers from being vicariously liable for their employees’ actions, and that it would be unreasonable for this to apply given the impact on small businesses of this liability. The Court of Appeal rejected this argument, and suggested that employers should have adequate insurance in place to cover this risk.
  • Secondly, Morrisons argued that the High Court had been wrong to find it was responsible for Mr Skelton’s actions under the vicarious liability test. For an employer to be vicariously liable for the actions of its employee, the court must:
    • consider the nature of the responsible employee’s job; and
    • decide whether there is a sufficient connection between the employee’s role and the wrongful conduct that occurred.

Essentially the test is whether the actions were done in the course of the employee’s employment, or were separate to this.

Morrisons argued that because Mr Skelton had downloaded the data several months before posting it, had published the data from his home on a Sunday and used his personal laptop, there wasn’t a sufficient connection between his role and his actions.

The Court of Appeal rejected this argument. It agreed with the High Court that there was an unbroken chain of events leading to the wrongful conduct and there was no reason for Mr Skelton to be “on the job” when the breach actually occurred. The key here was that Mr Skelton’s role specifically involved handling payroll information, which was the information he illegally disclosed. The employee’s role in respect of the payroll data was to receive it, store it and disclose it to a third party, namely the external auditor. His unauthorised disclosure was therefore closely related to what Morrisons had tasked him to do. Further, when the employee received the data and covertly copied it to his USB stick, he was acting as an employee and the chain of events from then until disclosure was unbroken. For the reasons above, the High Court held there to be a sufficiently close connection between the employee’s employment and his wrongful conduct, making it right for Morrisons to be held liable.

The Court of Appeal felt that Mr Skelton’s motives (and the fact that his conduct was criminal) was not relevant.

The Supreme Court’s Final Decision

Luckily for Morrisons, on appeal to the Supreme Court, the Court of Appeal decision was reversed and the final decision in this landmark case was that Morrisons was not vicariously liable for the actions of this employee.

The Supreme Court found that to hold Morrisons vicariously liable then they would have had to be convinced that the employee’s act in disclosing the data was “so closely connected with acts he was authorised to do that…. his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.’

On the facts, however, the judges agreed that this test wasn’t met. The employee wasn’t “furthering his employer’s business” when he leaked the information on the internet. He was acting personally. He was pursuing a personal vendetta because he was unhappy about the disciplinary action taken against him. The Supreme Court concluded that his actions couldn’t fairly and properly be regarded as having been done by him while acting in the ordinary course of his employment.

The implications for employers

The final Supreme Court decision was a big relief for not just Morrisons but also other employers. The decisions of the earlier courts in this case would have had huge implications for employers if Morrisons hadn’t continued to pursue their appeal.

To avoid being in a similar position as Morrisons in the future, the starting point for employers is to ensure that they have compliant data protection policies in place and have updated these to comply with the more vigorous requirements under the GDPR.

As the Court of Appeal highlighted, employers should also ensure they have insurance cover that covers not only negligent acts by employees, but losses covered by malicious employees.

Where a data protection breach does occur, employers should act quickly to minimise the impact on the individuals affected, and improve their systems to prevent further breaches.

If you need help updating your data protection policies to ensure you are adequately protected, please get in touch with any member of the Employment team.

To find out more about your data protection obligations and how we can help please see links below:

 

Stay up to date with our latest industry news

By completing your details and submitting, you are consenting to us sending you relevant legal updates and invitations based on the areas of interest you select. For further details please read our privacy notice.

Southampton: 023 8160 0702

Winchester: 01926 941 021

Search
Phone
Enquiry
Menu
CLOSE close
CLOSE close