December 2018
Defence + Indemnity
Field Law Insurance Group
SUBSCRIBE | FORWARD | CONTACT | WEBSITE
EMERGING TECHNOLOGY ISSUES
Employers can be vicariously liable at common law for the actions of a rogue
employee who brings about an unauthorized cyber data breach, even where the
employee’s motive was to harm the employer and not to injure the third parties
whose data is involved or for personal gain.
Wm Morrison Supermarkets PLC v Various Claimants,
2018 EWCA Civ 2339
FACTS AND ISSUES:
Skelton was employed by a supermarket company (Morrisons) as a Senior IT
Auditor. After he was formally disciplined in 2013 he bore a grudge against the
company. In 2014, in the course of his duties, he was assigned the task of
transmitting employee personal data on a USB memory stick to the company’s
external auditors. He copied this data from his employer-supplied computer
onto a personal USB stick before passing the data on to the auditor.
Subsequently, he posted the personal data of almost 100,000 Morrisons
employees online. He took (unsuccessful) steps to attempt to frame another
employee for the breach. The trial judge held that Skelton’s actions were not a
“sequence of random events” but all part of a careful plan to cause the company
harm. He was ultimately convicted of crimes for this conduct. A number of
Morrisons employees (5,518) brought a class action against the company,
seeking damages for breach of the U.K. Data Protection Act, s. 4(4) and at
common law for the torts of misuse of private information and breach of
confidence.
The trial judge held that the company was not directly liable for breach of the
statute or at common law. Although it was the “data controller” within the
meaning of the statute for the data on its own storage devices, it was held not
to be the “data controller” of the data on Skelton’s personal USB stick that was
posted online. The trial judge held that Morrisons did not know, nor ought it to
have known in the circumstances, that Skelton bore a grudge or would act
criminally with the data. Morrisons was held to have breached a Data Protection
Principle (DPP) set out in the statue in that it should have had better procedures
in place to ensure that confidential data was deleted from Skelton’s laptop
shortly after it had been provided to the external auditors, and after temporary
use outside of its data base. However, the trial judge held that this breach of the
DPP “could not have prevented an individual determined to [misuse the data]
from copying sensitive data held on his work laptop to some other medium” and
Skelton had stolen the data before it would have been deleted in compliance
with the rule.
However, the trial court held Morrisons to be vicariously liable for the actions of
