Val Surgenor

Last week, the Court of Appeal considered Wm Morrison Supermarket Plc’s (“Morrison’s”) appeal against the earlier High Court decision which held them liable for a data breach which was the result of a Morrison’s disgruntled employee’s actions. It was announced on Monday that Morrison’s have lost their Court of Appeal challenge against that decision which held them liable for the employee’s acts. This case is highly significant, given that it leaves organisations open to vicarious liability for the acts of “rogue employees” who may access and/or leak data after the end of their employment.

What happened?

The perpetrator of the data breach was the former senior internal auditor at Morrison’s’ Bradford headquarters, Andrew Skelton. In 2014, he leaked the personal data of other Morrison’s employees following an earlier incident, where he was accused of dealing “legal highs” at work. The data leaked included the names, addresses, bank account details and salaries of over 100,000 employees. Skelton circulated the information online and also disclosed the information to newspapers.

As far as criminal implications for Skelton, he received an eight-year prison sentence in 2015. He was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.

The High Court Ruling

The High Court held Morrison’s liable for the data breach perpetrated by Skelton and found that staff were entitled to be compensated as a result of their personal information being disclosed in this manner.

Morrison’s were deemed to be vicariously liable for the acts of Skelton, in spite of the fact that his acts constituted criminal activity. This was because he was seen to be “acting in the course of his employment” when he disclosed the data.

The Appeal

Morrison’s appealed against the High Court’s judgment on the basis that they ought not to have been held vicariously liable for the acts of Skelton. The appeal was heard by three judges in the Court of Appeal who supported the High Court’s previous judgment – therefore refused Morrison’s appeal - and found that Morrison’s were vicariously liable for the acts of Skelton

In a statement following the hearing, Morrison’s stated that they “worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.” Further, they have stated that they are unaware of any individual having sustained direct financial loss as a result of the breach. Therefore, they have indicated that they will appeal this decision to the Supreme Court.

The Court of Appeal judges referred to frequent corporate data breaches which have occurred in the past few years due to systems failures and negligence. Recognising that these may lead to compensation claims for “potentially ruinous amounts,” they said that the way forward for organisations is to “insure against such catastrophes” and losses caused by rogue employees.

The text of the Court of Appeal’s judgment has not yet been released and therefore we await this in order to ascertain the full rationale for the Court of Appeal’s decision.

Practical Implications

This judgment is highly significant for a number of reasons. Firstly, it is the first class action to have been brought in the UK concerning a data breach.

Secondly, Nick McAleenan, representative of the employees, said: “the judgment is a wake-up call for business.”

The judgment serves as an important warning for organisations as it illustrates that organisations may be held to be responsible for the behaviour of a “rogue employee” if that behaviour is deemed to be carried out in the course of their employment.