vicarious liability

Subscribe to vicarious liability via RSS

On 22 October 2018, the supermarket chain Morrisons lost its appeal to the High Court ruling that it is liable for a data breach that resulted in thousands of its employees’ personal data being posted online. The Court of Appeal’s (CoA) judgment can be found here.

Over 5,000 Morrisons’ employees brought a class action in the High Court after a company employee, Andrew Skelton, stole personal data, which included payroll information of almost 100,000 employees, including names, addresses, bank account details and salaries (see our previous blog on the High Court decision here).

Morrisons argued that Mr Skelton’s actions were insufficiently closely connected for it to be liable, as he perpetrated the act in his own home, on a personal computer and a number of weeks after he had stolen the personal data. The CoA rejected this, and was instead of the view that Mr Skelton’s actions fell “within the field of activities assigned to him” by Morrisons and that there was an unbroken chain of events linking his role as an employee to the disclosure of the personal data.

The CoA also rejected Morrisons’ argument that it was not vicariously liable on the basis that Mr Skelton’s motive was to harm his employer, and not to benefit himself in some way or inflict harm on a third party. All three of the CoA judges therefore agreed with the High Court that Morrisons was vicariously liable for the data breach.Continue Reading Morrisons loses appeal against class action data breach

Following a recent ruling by the High Court against WM Morrisons Supermarket PLC (“Morrisons”), employers may now find themselves vicariously liable for data breaches perpetrated by their employees.

Background

In 2014, it was discovered that a file containing the pay roll data of 99,998 Morrisons’ employees had been uploaded to a file sharing website. This data included names, dates of birth, addresses, national insurance numbers, and details of employees’ salaries and bank accounts.

Following an investigation, it was revealed that one of Morrisons’ employees, Andrew Skelton – a senior IT auditor – had copied the data which he was supposed to send to KPMG, Morrisons’ external auditors, to a personal USB drive. Mr Skelton then uploaded this data to a file-sharing website.

Mr Skelton’s actions were reportedly the result of a grudge that he held against his employer following an earlier, unrelated disciplinary incident. As a result, Mr Skelton was subsequently arrested and sentenced to eight years in prison pursuant to the Computer Misuse Act 1990 and the Data Protection Act 1998 (the “DPA”).

Now, in what is the first-ever group action case involving a data breach, 5,518 of the affected employees have bought a group class action against Morrisons for breach of its statutory duty under the DPA and at common law.

The claim was made on the basis that Morrisons was (i) directly liable for breaching its statutory duty; and (ii) in the alternative, vicariously liable for the breach in its capacity as Mr Skelton’s employer.
Continue Reading Morrisons found vicariously liable for a data breach committed by one of its employees