Employer Held Responsible for Rogue Employee’s Actions
An employer has been held vicariously liable for the criminal actions of its employee. So held the High Court recently in the case of Various Claimants –v- WM Morrisons PLC where the employee had published the personal data of thousands of customers online (a criminal offence).
What were the facts?
In January 2014, a file containing personal details of 99,998 of WM Morrisons PLC's employees was posted on a file sharing website. Links to that website were later posted elsewhere on the web.
The data posted included the names, addresses, gender, dates of birth, telephone numbers (home/mobile), national insurance numbers, bank sort codes, bank account numbers and the salaries of the employees in question.
In March 2014, three UK newspapers, (including the Bradford Telegraph and Argus which was local to Morrisons' head office) received a CD containing a copy of the data from an anonymous source. The sender – who turned out to be Morrisons' rogue employee - gave a link to the file- sharing site and claimed to be concerned about having discovered that payroll data relating to almost 100,000 Morrisons employees was available on the web. None of the newspapers published the information – but the Bradford Telegraph and Argus reported the publication to Morrisons.
The consequences of the rogue employee's action
There were very serious consequences to this disclosure of personal data.
Morrisons was about to publish its annual financial reports and risked allegations that it could not be trusted to keep its data secure. This had serious implications for Morrisons' share value.
There was also an immediate concern that the published information might be used by fraudulent outsiders to:
- access the bank accounts of individual employees;
- aid identity theft;
- phish for the additional information to enable dishonest access to the employees' bank accounts, take out loans, or make purchases under an assumed identity.
Morrisons took immediate action. They ensured the website was closed down and alerted the police.
It was soon discovered that the information had been taken from the data stored centrally by Morrisons. Only a few people had access to this data and it was possible to find out how and when the data had been extracted. Suspects were arrested – but were then found to have been innocent. They had been framed by one of Morrisons' senior IT auditors, Andrew Skelton – an employee who held a grudge against his employer.
What happened to the rogue employee?
Andrew Skelton was arrested on 19th March 2014 for the disclosure of the personal data. Charged with a criminal offence under the Computer Misuse Act 1990 and under Section 55 of the Data Protection Act 1998, he was tried, convicted and sentenced to a term of 8 years imprisonment.
The consequences of the data breach
Not surprisingly, those Morrisons' employees whose data had been disclosed by Andrew Skelton, brought an action against Morrisons for breach of the Data Protection Act. They numbered 5518 in total and brought a group claim.
The facts were not in dispute – Skelton had already been convicted of the offence – and the claimants did not therefore need to give evidence.
Was Morrisons liable for its employee's actions?
In reviewing this case, the judge considered whether Morrisons, as employer, was liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web.
This is a complex area of law and the judgment goes into considerable detail about the legal issues. For the purposes of this article, the key points are that:
- It was appropriate for Morrisons to have given Skelton access to the data so that he could carry out his role. The court found that Morrisons had failed to ensure the deletion of personal data from Skelton's work computer. Skelton had been able to publish the data from his personal computer while at home – and outside working hours with intent to harm his employer. However, Morrison's failure had not caused any loss.
- Nevertheless, Morrisons was vicariously liable for Skelton's actions. His wrongful conduct in misusing the data was closely connected with his authorised duties and his employment.
The court did give Morrisons the right to appeal this decision – so we have not heard the end of this case yet.
Data Protection - lessons for employers
The Morrisons case flags up to employers very clearly the potential risks when their employees are dealing with the personal information of other employees and third parties such as customers. Employers must comply with strict laws when handling personal data to ensure it is handled and maintained correctly - and protected.
Personal data and its use is currently governed by the Data Protection Act – but will soon be governed by the more stringent rules set out in the General Data Protection Regulation (GDPR) that will come into force in May 2018.
General Data Protection Regulation (GDPR)
All businesses should be preparing for the introduction of the General Data Protection Regulation in May 2018.
To find out more about the GDP Regulations and how your business can prepare, read our Guide to the General Data Protection Regulation (GDPR) for Businesses.
For more information on the issues raised by this case, contact Susan Mayall on 0161 684 6948 or make an enquiry.
Subscribe to our newsletter
Please note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers Ltd or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.
This blog was posted some time ago and its contents may now be out of date. For the latest legal position relating to these issues, get in touch with the author - or make an enquiry now.