Vicarious Liability: Employer Held Liable For Data Breach By Disgruntled Employee

In the case of VM Morrison Supermarkets Plc v Various Claimants, the Court of Appeal (“CA”) held that the supermarket chain Morrisons was liable for the actions of an employee who wrongfully disclosed the personal data of 99,998 of his colleagues.

The employee Mr Skelton, was a senior IT internal auditor employed by Morrisons. Having used Morrisons’ postal facilities for his private purposes without permission, an internal disciplinary hearing was held and Mr Skelton was given a formal verbal warning.

Mr Skelton was annoyed by the disciplinary proceedings and the sanction he received, and subsequently uploaded payroll data from his home computer onto the internet which contained the personal details of 99,998 of his colleagues. The data consisted of the following: names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salaries.

Morrisons were alerted of the breach, took down the website and informed the police. Mr Skelton was arrested and sentenced to eight years imprisonment.

As a result of the data breach, 5,518 employees (the “Claimants”) issued a claim for damages, against Morrisons, for misuse of private information, breach of confidence, and breach of statutory duty under data protection legislation. The Claimants argued that Morrisons was vicariously liable for the wrongful conduct of Mr Skelton.

The High Court held that Morrisons was vicariously liable for the data leak because Mr Skelton unlawfully disclosed the personal data in the course of his employment.

Morrisons appealed to the CA, however the CA upheld the High Court’s ruling.

The CA had to consider two issues: 1) the functions or field of activities entrusted by Morrisons to Mr Skelton (the nature of Mr Skelton’s job); and 2) whether there was a sufficient connection between Mr Skelton’s position and his wrongful conduct to make it right for Morrisons to be held liable.

It was accepted that the nature of Mr Skelton’s job was to deal with the payroll data, he was therefore deliberately entrusted with its protection.

In regards to the second issue, Morrisons argued that there was not a sufficient connection between Mr Skelton’s job and his wrongful conduct because he had uploaded the personal data from his home computer. However, the CA stated that although the time and place at which an act occurs will always be relevant, it is not conclusive to establishing vicarious liability. There are a number of cases where employers have been held liable for the acts committed by their employees away from the workplace. Mr Skelton misused his position of trust in a way which injured the Claimants, and as Morrisons put him in that position of trust it was held that Morrisons should be held responsible. There was an unbroken thread that linked Mr Skelton’s work to the unlawful disclosure.

This case serves as a reminder of the potential for employers to be held liable for an employee’s wrongful conduct outside of the workplace.

Please contact us if you would like more information about the issues raised in this article or any other aspect of employment law on 029 2034 5511 or