Court Of Appeal Confirms Supermarket Vicariously Liable For Data Breach By Rogue Employee

An alarming decision handed down by the Court of Appeal this week against supermarket Morrison is certain to hurry employers to their insurance brokers to protect themselves against data breach. Confirming the High Court's earlier decision (which we reported on in 2017) the Court of Appeal found that Morrison was vicariously liable for the actions of a rogue employee who, driven by a grudge against the supermarket chain, took payroll data relating to 100,000 employees and published it online.

The facts are fairly well known given the media attention, but here's a brief summary.

Andrew Skelton (S), an internal auditor and employee of Morrison had been provided with the personal data of 100,000 Morrison employees as part of Morrison's annual statutory audit process; he was one of a limited number of employees who had been permitted access to all of the data which was held in a secure internal environment created by proprietary software. S had secretly copied the data from his encrypted work laptop onto a personal USB and then published it on a file sharing website. He then anonymously sent the data on a CD to three newspapers with a message that the person supplying the information had "worryingly discovered" that the payroll data was available on the web. A criminal investigation and trial ensued where it emerged that S's action had been borne out of a grudge he had against Morrison following a disciplinary process against him earlier in 2013 where S felt he had been unjustly treated. S was convicted in relation to his criminal misuse of the payroll data and was sentenced to eight years in prison. The length of the sentence was partly because of the serious damage his actions had caused to Morrison.

Immediately after Morrison discovered the breach, it took action to take the website down and to protect the data and any financial loss which might result from the disclosures. Despite this, 5,500 employees brought a claim on the basis that Morrison was directly liable for S's act of disclosing the data or, alternatively, it was vicariously liable for S's actions. The claims were heard by the High Court in 2017 in the first group litigation of its kind.

So why was Morrison liable, when it was found to be entirely innocent of any misuse of private information, and (except in one inconsequential respect) its data security measures were adequate?

The Court of Appeal's reasoning is based on principle of vicarious liability and how that interacted...