One of the leading cases on data breach in the workplace is once more in the spotlight. We previously reported about Morrisons Supermarket being the unwitting target of a malicious leak of employee data by a disgruntled auditor (read our report here). The data breach affected 100,000 Morrisons’ employees. More than 5,500 of them brought a group action against the supermarket for (1) breach of the Data Protection Act 1998, (2) breach of confidence and (3) misuse of personal data. In December 2017 the High Court decided that Morrisons was vicariously liable for the data breach. Morrisons appealed that decision, and the appeal recently made it to the Court of Appeal.

The first issue considered by the Court of Appeal was whether data protection legislation prevents a claimant from using that law to bring claims of vicarious liability, breach of confidence and misuse of personal data. The Court of Appeal decided that the legislation did not contain any such restriction. There was therefore no barrier to Morrisons’ employees bringing such claims.

The Court of Appeal then turned to the question of whether Morrisons could be vicariously liable for Skelton’s acts. The test for vicarious liability requires consideration of whether the act in question is sufficiently closely connected with the employee’s employment so that it would be only fair and just to hold the employer liable for the employee’s actions.

A key issue was whether the fact that Skelton unlawfully uploaded the employee data while at his home (and therefore away from the workplace) meant that Morrisons should not be held vicariously liable for the data breach. The Court of Appeal decided that the first improper action committed by Skelton was the downloading of the employee data onto his USB stick, which he did at work. In any event, held the court, it is possible for employers to be vicariously liable for acts that occur outside of the workplace. The acts which Skelton did  at his home were part of an unbroken chain of events for which Morrisons remained vicariously liable.

“The tortious acts of Mr Skelton in sending the claimants’ data to third parties were in our view within the field of activities assigned to him by Morrisons.” Court of Appeal

The unusual consideration for the Court of Appeal in this case was that Skelton’s acts had been aimed at harming Morrisons. The question was therefore whether Morrisons could be vicariously liable for an act that had been specifically designed to harm the company? The answer, the Court of Appeal decided, was yes. Motive was irrelevant even where the motive was to cause financial or reputational damage to the employer.

Morrisons’ appeal was therefore unsuccessful.

From a public policy perspective, the Court of Appeal noted that organisations can insure against the risk of losses arising due to data breaches by dishonest or malicious employees. The upshot of this case may therefore be increased insurance premiums for employers.