Morrisons data breach: the facts
Morrisons is a large supermarket chain in the UK. Mr Skelton was Morrisons’ senior IT internal auditor. In July 2013, he was given a formal verbal warning for an incident involving his unauthorised use of Morrisons’ postal facilities for his private purposes. As a result of this, he held a grudge and set out to damage Morrisons.
On 1 November 2013, KPMG, who were Morrisons’ external auditors, requested various categories of data, including payroll data, from Morrisons so that it could undertake the annual audit. A member of HR copied the data on to an encrypted USB stick and took it directly to Mr Skelton who downloaded it on to his laptop which was also encrypted. He copied the data on to an encrypted USB stick provided by KPMG and returned it to KPMG. On 18 November 2013, whilst at work, he copied the payroll data on to a personal USB stick and on 12 January 2014, from home, he uploaded a file containing 100,000 employees’ personal details (names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank and salary details) on to a file sharing website. On 13 March 2014, acting anonymously, he sent a CD containing a copy of the data to three newspapers (who did not publish the information) and he also provided a link to the file sharing website.
Mr Skelton was later found guilty of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (“DPA”) and sentenced to eight years in prison.
Over 5,000 Morrisons’ employees claimed compensation for breach of statutory duty (breach of the data protection principles in the Data Protection Act 1998) and at common law (misuse of private information and breach of confidence). They argued both that Morrisons was liable for its own acts and omissions and that it was vicariously liable for the acts and omissions Mr Skelton.
The High Court ruled that Morrisons itself had not acted unlawfully (save in one respect which had not contributed to the disclosure). However, it went on to rule that it was vicariously liable for Mr Skelton’s conduct, on the basis that his actions were carried out in the course of his employment.
Morrisons appealed to the Court of Appeal.
The test for vicarious liability required a consideration of whether Mr Skelton’s actions fell within the “field of activities” entrusted to him and whether there was a sufficient connection between Mr Skelton’s job and his wrongful conduct to make it right that Morrisons should be held liable for that conduct.
The High Court had considered these matters. It found that Morrisons deliberately entrusted Mr Skelton with the payroll data, that dealing with data was a task specifically assigned to him and that he was appointed on the basis that he would receive confidential information and could be trusted to deal with it safely. It was a part of his role to receive and store payroll data and to disclose it to a third party (KPMG). Whilst he was not authorised to disclose it more widely, the unauthorised disclosure was nonetheless closely related to what he was tasked to do. The High Court had therefore been correct to conclude that his actions fell within the field of activities entrusted to him.
Morrisons argued that the “close connection” test was not satisfied as the conduct which caused the harm (uploading the data to the file sharing site) was done by Mr Skelton at his home, using his home computer, on a Sunday, several weeks after he had downloaded the data at work on to his personal USB stick. The Court of Appeal rejected this argument, agreeing with the High Court’s view that there was an unbroken chain of events linking his work to the disclosure.
The Court of Appeal also rejected Morrisons’ argument that it should not impose vicarious liability in a case where an employee’s motive is to harm his employer, rather than to achieve some benefit for himself or to inflict injury in a third party. An employee’s motive is irrelevant and it considered that there should be no exception where the motive is to cause the employer financial or reputational damage.
The Court of Appeal was also unconvinced by Morrisons’ argument that given the number of claimants and the number of employees affected, imposing vicarious liability would place an enormous burden on Morrisons (and other employers in future cases). It considered that the solution to this was to obtain insurance.
The Court of Appeal therefore agreed with the High Court that Morrisons was vicariously liable for Mr Skelton’s conduct.
An employer can be held vicariously liable for an employee’s unlawful acts, even where the employee’s motive is to harm their employer. The employee’s motive is irrelevant. The result is a harsh one for Morrisons as there was nothing it could have done to prevent this from happening. The Court’s answer is to insure against losses caused by dishonest or malicious employees. Employers should therefore review their insurance and consider extending cover if they are not already protected against losses of this nature.
The amount of compensation payable has yet to be decided but as none of the employees appears to have suffered any financial loss, it is possible that they will only be awarded nominal damages. Nevertheless, with 5,000 claimants and another 95,0000 employees affected (who could yet bring claims) the sum may still be significant.
Morrisons has indicated that it intends to appeal to the Supreme Court and so this may not be the last word on the matter.