Data Breach in the UK: Can a Rogue Employee Leave You on the Hook?

A supermarket chain in the United Kingdom has been all over the press after it was held liable for a data breach by a rogue employee. This article analyzes the appellate court’s judgment to set out what it means for employers in the UK.1

The Question before the Court

The key question for the Court of Appeal was whether an employer (in this case the supermarket, Morrisons) was liable where an employee committed a deliberate criminal act and disclosed personal data in breach of the Data Protection Act 1998. The High Court – which is the UK equivalent to the trial court – had previously held that the employer was not directly liable for the breach (except in respect to one small security point) but was vicariously liable to the 5,000 claimants who brought the claim.

The Facts

This case was unusual – perhaps even unique – and we have set out the facts below:

  • Mr. Skelton was an IT internal auditor at Morrisons. He was given a formal written warning in July 2013, and this incident purportedly left him with a grudge against his employer.
  • On November 1, 2013, as part of his duties, Mr. Skelton came into contact with some payroll data, which was saved on his desktop. A few weeks later, Mr. Skelton copied the payroll data onto a personal USB with the intent to subsequently commit a crime.
  • In January 2014, Mr. Skelton copied the payroll data from his personal USB and posted a file (containing the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, national insurance numbers, bank details, etc.) of 100,000 employees on the internet.
  • A few months later, he anonymously sent a copy of the data to three newspapers and alerted them to the information on the internet.
  • Not long afterwards, the activity was traced back to Mr. Skelton. He was arrested, charged with criminal offenses, convicted, and sentenced to eight years' imprisonment.

The High Court

The High Court held that Morrisons was not the data controller with respect to the data at any time (i.e., Mr. Skelton had become the data controller) and was therefore not directly liable to the claimants (except as to one small security issue, which is not material here). The court held, however, that Morrisons (as the employer) was vicariously liable for the data breach of the 5,000 employees who brought claims.

The Court of Appeal and Vicarious Liability

Morrisons appealed the lower court’s finding that it was vicariously liable for Mr. Skelton’s actions. In order to be successful, the individuals bringing the claims had to demonstrate that (1) the act was within the “field of activities” that had been entrusted by Morrisons to Mr. Skelton; and (2) that there was a sufficient connection between his role and his wrongful conduct to make it proper to hold Morrisons liable. Morrisons had argued that it was not vicariously liable for Mr. Skelton’s actions.

Outcome

The Court of Appeal upheld the High Court’s decision that Morrisons was vicariously liable for Mr. Skelton's actions.

On the first point, Morrisons had entrusted Mr. Skelton with the payroll data as part of his role and as part of a task that had been assigned to him.

On the second point, the Court of Appeal affirmed the High Court’s decision that the close connection test was satisfied. We have drawn out a few notable points for employers:

  • It does not matter where or when the breach happened – the High Court said that although the act that caused the harm was done at Mr. Skelton’s home on a Sunday several weeks after he downloaded the data onto his own USB, there was an “unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events.” The Court of Appeal explained that it was not so much about the gap in time, but the change in the nature of relationship. Moreover, the employee did not need to be in the workplace or on working time for Morrisons to be vicariously liable.
  • Motive is not a defense – there was no exception to Morrisons’ liability based on Mr. Skelton’s motive (which was to damage the company, and not to achieve some benefit for himself or to harm the individuals).
  • The solution is to insure – the Court of Appeal suggested (in a slightly unusual comment) that the solution for employers was to insure against data breaches by employees.
  • The burden on employers was irrelevant – in this case there was no harm; however, the Court of Appeal indicated that in future cases, if there was harm, aggrieved individuals could pursue claims against the employer.
  • The future of data protection group litigation – this case presents the first example of data protection group litigation in the UK; might it be the start of things to come?

Morrisons has said that it will appeal this case to the UK Supreme Court. We will continue to monitor the progress of the litigation and will report back on any future developments, so keep your eyes peeled for the next instalment! In the meantime, employers interested in discussion of the GDPR and its impact thus far may wish to consult our recent webinar on the topic, which is available here.


See Footnotes

1 To be clear, this case was decided under older law (the Data Protection Act 1998), not under the more-recently adopted European Union General Data Protection Regulation (GDPR). While the application of the GDPR would not impact the substance of the case, it would affect the amount of the potential fine.

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.