Employers can be vicariously liable at common law for the actions of a rogue employee who brings about an unauthorized cyber data breach, even where the employee's motive was to harm the employer and not to injure the third parties whose data is involved or for personal gain.

Wm Morrison Supermarkets PLC v Various Claimants, 2018 EWCA Civ 2339


Skelton was employed by a supermarket company (Morrisons) as a Senior IT Auditor. After he was formally disciplined in 2013 he bore a grudge against the company. In 2014, in the course of his duties, he was assigned the task of transmitting employee personal data on a USB memory stick to the company's external auditors. He copied this data from his employer-supplied computer onto a personal USB stick before passing the data on to the auditor. Subsequently, he posted the personal data of almost 100,000 Morrisons employees online. He took (unsuccessful) steps to attempt to frame another employee for the breach. The trial judge held that Skelton's actions were not a "sequence of random events" but all part of a careful plan to cause the company harm. He was ultimately convicted of crimes for this conduct. A number of Morrisons employees (5,518) brought a class action against the company, seeking damages for breach of the U.K. Data Protection Act, s. 4(4) and at common law for the torts of misuse of private information and breach of confidence.

The trial judge held that the company was not directly liable for breach of the statute or at common law. Although it was the "data controller" within the meaning of the statute for the data on its own storage devices, it was held not to be the "data controller" of the data on Skelton's personal USB stick that was posted online. The trial judge held that Morrisons did not know, nor ought it to have known in the circumstances, that Skelton bore a grudge or would act criminally with the data. Morrisons was held to have breached a Data Protection Principle (DPP) set out in the statue in that it should have had better procedures in place to ensure that confidential data was deleted from Skelton's laptop shortly after it had been provided to the external auditors, and after temporary use outside of its data base. However, the trial judge held that this breach of the DPP "could not have prevented an individual determined to [misuse the data] from copying sensitive data held on his work laptop to some other medium" and Skelton had stolen the data before it would have been deleted in compliance with the rule.

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.