It is well known that employers can be held vicariously liable for unlawful acts committed by their employees which occur in the course of their employment.
Whether an employee was, or was not, acting in the course of their employment at the time the relevant act takes place, will always be a matter of fact and degree to be assessed by the Courts in each case. And that was exactly the task which the Court of Appeal undertook when assessing the actions of Mr Skelton, a disgruntled Morrisons employee, who, in an act of revenge, downloaded confidential salary information for over 5,000 employees and later, when his employment had ended, published it on the internet.
In its Judgment issued this week, the Court of Appeal has decided that Morrisons was vicariously liable for Mr Skelton’s actions. In what has been described as a bewildering judgment, the Court reached this conclusion despite:
- Mr Skelton’s clear intention and motivation being to harm Morrisons;
- Mr Skelton distributed the data at home, using his home computer, some time after the initial download of the employee data and so, arguably, he was not ‘on the job’ at the time of the data breach;
- Mr Skelton being sentenced to 5 years’ imprisonment in recognition of the criminal act he had committed;
- No financial loss being caused to the individuals affected by the data breach.
The Court has granted Morrisons leave to appeal the decision to the Supreme Court, and doubtless they will, which means the Court of Appeal’s ruling is unlikely to be the final word in this long-running saga. The smart money seems to be on the Supreme Court upholding the lower courts’ decisions. If it does, Morrisons will be forced to pay out compensation running into the millions for injury to feelings of those impacted by the data breach.
What can be learned from this case?
This is, without question, a harsh judgment, the ripple effect of which is likely to felt by employers of all sizes, and across all sectors.
It is important to emphasise that Morrisons had taken a responsible approach to data protection and security and Mr Skelton had broken every rule in their data protection rule book. They had trained staff in data protection. They had told them what was expected of them when it came to handling personal data, and what they were not permitted to do with employees’ personal data. They had put some technical and organisational security measures in place to prevent breach. Were those measures perfect? Probably not. Were they industry standard at the time? Probably yes. In that sense, they had ticked all the boxes of a responsible employer and you would expect them to come out on top. What they hadn’t done, and where ultimately they’ve fallen down, is they did not anticipate the acts of a renegade employee and insured against the possibility of a data security breach.
Above all, this ruling (and the increasing trend of similar cases around vicarious liability) puts into sharp focus the need for businesses to have appropriate insurance cover in place to protect themselves against the fallout from nefarious and reckless acts by disgruntled employees. Morrisons tried to persuade the Courts that they should not be held to be vicariously liable because of the huge financial burden an adverse ruling would have. The Court’s response: it was a risk you could have insured against, and you didn’t, so tough.