Rogue One: A vicarious liability data breach story

Print this page Email a link to this page

In a landmark ruling, the Court of Appeal has upheld the decision of the High Court and held that an employer was vicariously liable for the actions of a rogue employee who uploaded the personal information of around 100,000 colleagues to a file sharing website in early 2014.

The full case can be found here.

What did the rogue employee do?

Mr Skeleton, a senior IT internal auditor employed by national supermarket chain Morrisons, was given a verbal warning in July 2013 following a disciplinary hearing. This left him with a grudge against his employer. In November 2013 Skeleton was tasked with sending payroll data to KPMG. He did so, but he also copied the information on to his personal computer.

Just before Morrison’s annual financial reports were announced, Skeleton released the personal data onto a file-sharing website. He posted links to that site on other websites and sent copies of the data to newspapers, who informed Morrisons. Skeleton’s motivations were found to be malicious and he was convicted and imprisoned for eight years at a subsequent criminal trial.

Was Morrison’s (the employer) liable?

The Court found that Morrison’s had no primary liability, Skeleton’s actions were not conducted on behalf of his employer and Skeleton (not Morrisons) was the true data controller at the time of Mr Skeleton’s criminal actions.

However, the Court held that Morrisons was vicariously liable for Skeleton’s actions. Langstaff J concluded that there was a sufficient connection between Skeleton’s actions and the course of his employment. There was a seamless and continuous sequence of events that linked Skeleton’s employment to the disclosure. Morrisons entrusted Skeleton with the data during the course of his employment, and they tasked him with receiving, storing and disclosing the data, therefore his actions were closely related to the task he was given.

The fact that Skeleton unlawfully disclosed the data from his personal computer, at home and outside of working hours was not sufficient to break the chain of events linking his employment to the disclosure.

What does this mean for employers?

This case confirms that vicarious liability for breach of confidence or misuse of private information can arise without any fault on the part of the employer, and in circumstances where the employee’s acts are unauthorised and even criminal.

For employers, the onus is on you to put in place data security arrangements to minimise the possibility of unauthorised data leaks.

Employers should ensure that adequate safeguards are put in place to protect the business against rogue employees. This includes:

  1. Close monitoring of how sensitive data is handled;
  2. Ensuring you have up to date and strictly applied policies on the handling of personal data and codes of conduct; and
  3. It may include introducing indemnities into employment contracts as a potential deterrent.

Employers should also ensure that sufficient insurance policies are taken out.

For more information on how we can help your organisation, please call Tony McPhillips on 0191 211 7908 or email [email protected].