UK: Data breach: employer vicariously liable for data breach by rogue employee
Mr Skelton (S), an internal auditor and employee of supermarket chain Morrisons (M) deliberately published the personal data of 100,000 employees on a file sharing website and then anonymously sent the data on a CD to 3 newspapers. S was subsequently convicted for criminal misuse of the payroll data and sentenced to 8 years in prison. As soon as M discovered the breach, it took action to take the website down and to protect the data and any financial loss which might result from the disclosures. Despite this, 5500 employees brought a claim against M for S’s act of disclosing the data.
The Court of Appeal found that M was vicariously liable for S’s wrongful acts. Vicarious liability is where an employer is liable for the wrongful actions of its employees where (1) the employee’s actions fall within the “field of activities” entrusted to them and (2) there is a sufficient connection between those wrongs and the employee’s employment such that it would be fair to hold the employer vicariously liable. In this case, S had been deliberately entrusted with the payroll data in his role as internal auditor and when he published it online, this was within the “field of activities” assigned to him.
Comment:
Unless and until this decision is reversed on appeal to the Supreme Court, businesses should insure against data breaches because even if you take all reasonable steps to secure the personal data you hold, you may still be liable for breaches caused by rogue employees.
WM Morrison supermarkets PLC v various claimants [2018] EWCA Civ 2339 Court of Appeal
http://www.bailii.org/ew/cases/EWCA/Civ/2018/2339.html
For a detailed update on this decision, see Court of Appeal confirms supermarket vicariously liable for data breach by rogue employee https://www.clydeco.com/blog/the-hive/article/court-of-appeal-confirms-supermarket-vicariously-liable-for-data-breach-by