The Court of Appeal decision in WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 has potentially serious implications for all employers.
Mr Skelton was a senior IT auditor employed by Morrisons and was asked to send data to Morrisons external auditors. He was later convicted of fraud for sharing employees' personal data online and sending it to three national newspapers in pursuit of a personal grudge against Morrisons. As a consequence of his actions he was jailed for 8 years.
Employees of Morrison's then brought claims against the Company and argued that it was vicariously liable for Mr Skelton's misuse of their private information. The Court of Appeal upheld the decision of the High Court that Morrisons were vicariously liable. In essence, it was held that there was a sufficiently close connection between Mr Skelton's employment and his wrongful conduct for Morrisons to be held liable. The Court also held that Mr Skelton’s motive, which was to cause financial and reputational damage to the employer, was irrelevant when assessing vicariously liability.
This decision will set alarm bells ringing for employers since there is a limit to the measures which can be taken to prevent employees who are trusted with processing personal data from maliciously misusing that information. It is of particular concern given the potentially very large liabilities involved.
One measure which employers should immediately take is to check their insurance policies to ensure they are covered against losses from data breaches by employees.