As if GDPR, data protection responsibilities and potential fines weren’t frightening enough, this case confirms another layer of danger for employers – liability for harm caused by the criminal activities of employees in relation to data breaches.

A senior IT internal auditor at a supermarket had been entrusted with passing on payroll information of just under 100,000 employees to an external auditor as part of the annual audit. After receiving a formal warning from the employer for the unauthorised use of postal services, the auditor held a grudge. He released the personal data of employees to a file-sharing website.

A group litigation claim was initiated by 5,518 employees/former employees who sued the supermarket for breach of the Data Protection Act 1998, misuse of private information and breach of confidence. It was argued that the supermarket was directly liable and/or vicariously liable for the actions of the internal auditor.

The High Court rejected the argument that the supermarket bore any primary liability but held that there was a ‘sufficient connection’ between the release of the data and the auditor’s employment such that the employer was vicariously liable for his conduct.

The Court of Appeal has agreed with the characterisation of the disclosure as ‘a seamless and continuous sequence of events’ and that ‘there was an unbroken thread that linked his work to the disclosure’. The appeal was dismissed.

Practical Lessons

A unique element of the facts was that the employee sought to harm his employer rather than to gain something for himself or to injure anyone else.

There is clear precedent that an employer may be vicariously liable for deliberate wrongdoing by an employee. However, the Court of Appeal rejected the argument that the motive of the employee must be analysed, whether that involves causing harm to a third party or causing financial or reputational damage to the employer.

Endorsing previous case law, the Court of Appeal noted that the particular motivations of the employee were ‘neither here nor there’. Employers will therefore be unable to cite the motive of the employee as a potential defence when the issue of vicarious liability arises.

The Court recommended that employers insure themselves against vicarious liability for malicious acts:

“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by Ms Proops [the Appellant’s QC] on behalf of Morrisons.”
https://www.bailii.org/ew/cases/EWCA/Civ/2018/2339.html

A review of the subsequent Supreme Court appeal in this case is available here:
https://www.legal-island.com/articles/uk/case-law/2020/april/wm-morrison-supermarkets-plc-v-various-claimants-2020/