In the first ever group litigation for a data breach to come before the Courts, the High Court in Various Claimants v Wm Morrisons Supermarkets Plc  has found Morrisons vicariously liable for the leak of almost 100,000 employees’ details by a disgruntled ex-employee, Andrew Skelton.
Mr Skelton was employed by the supermarket chain, Morrisons, as a senior IT internal auditor. In 2014, he downloaded payroll data to a USB stick and posted a file online containing the National Insurance numbers, dates of birth, addresses, salaries and bank account details of approximately 100,000 of his fellow employees.
In 2015, Mr Skelton was found guilty of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 and sentenced to 8 years imprisonment. Morrisons was awarded £170,000 in compensation as a result of the data breach. During his Crown Court trial, the Court heard that Mr Skelton held a grudge against his employer after he received a warning for using the company’s post room to sell items on eBay. The Crown Court at Mr Skelton’s criminal trial also heard that when Morrisons were informed about the data breach, they acted quickly to take down the leaked information within 24 hours.
Following Mr Skelton’s conviction, a group of over 5,500 Morrisons’ employees took action to recover compensation for breach of statutory duty under the Data Protection Act, breach of confidence and misuse of private information. Morrisons denied liability, arguing that the company was not liable either directly or indirectly for Mr Skelton’s criminal misuse of the data and that as a company, it had already suffered serious damage as it incurred £2 million costs as a result of the data breach.
The High Court considered two questions:
The Court identified only one breach of the DPA by Morrisons, namely that it had not organised the deletion of the data from his work computer. However, Langstaff J held that the failure did not in itself cause any loss. He said “Morrisons have not been proved to be at fault by breaking any of the data protection principles, and neither primary liability for misuse of private information nor breach of confidentiality can be established.”
The Court however, held that Morrisons was vicariously liable for the individual’s conduct.
The key test was whether Mr Skelton’s actions were carried out in the course of his employment. The Court stated that the disclosure online of the payroll data, was connected by time, place and nature from his employment and this was as a result of several reasons, including that Morrisons had deliberately entrusted the employee with the specific payroll data, that the employee was appointed on the basis that he would receive confidential information and that Morrisons took the risk that it might be wrong in placing its trust in him. The fact that the disclosures were made much later, using his personal equipment outside of working hours, was not substantial enough to break the relationship between the parties.
The Court found that there was a sufficient connection between the position in which Mr Skelton was employed, and his wrongful conduct to make it right for Morrisons to be held liable. Morrisons has been granted leave to appeal.
Maxine Orr is a Partner specialising in Employment Law in Worthingtons Commercial Solicitors Belfast.