Bad apples and Data Protection

The High Court recently found Morrisons to be vicariously liable for the actions of their rogue employee. Do you have cybercrime insurance in place if the worst should happen?

Last October I wrote about the dangers posed by rogue employees who disclose personal data. Then, at the end of November came news of the case of William Morrison Supermarkets Plc v various Claimants [2018]which dealt with just this particular issue.

This case should make employers very nervous. One of their employees, a Mr Andrew Skelton who was employed by them as a Senior IT Internal Auditor developed a grudge against them following a disciplinary issue. At some point during performing his duties, he copied sensitive payroll data (bank account details, NI numbers, and salary payments) that he was sending to Morrisons’ Auditors onto a personal USB stick. Several months later, he then posted that information online and sent it anonymously to three newspapers with, it seems, the aim of causing reputational damage to Morrisons. That included the personal details of over 100,000 Morrisons employees. Following arrest, prosecution and conviction Mr Skelton was sentenced to 8 years in prison for the various offences he had committed.

 

So whilst Mr Skelton may have been languishing in prison, where did that leave Morrisons? The answer would be in some difficulty as a group of employees alleged that Morrisons were in breach of the Data Protection Act 1998, in particular in failing to put in place adequate Data Protection controls. Despite the fact that Morrisons had done nothing wrong and that the actions that Mr Skelton had taken were his and his alone and undertaken deliberately with the intent to cause harm to Morrisons.

The employees claim against the supermarket succeeded and Morrisons were found to be vicariously liable for the actions of their rogue employee. The High Court found against Morrisons. The Court found that there had been an unbroken chain of events leading to the wrongful conduct, even though Mr Skelton had copied the information several months before he published it online, he had uploaded the data from his home on a Sunday and had used his personal laptop. Despite all these factors there was held to be a connection between the role in which he was performing and his wrongdoing and Morrisons were held liable. The case is likely to be appealed to the Supreme Court.

The Court did pause to consider whether in finding Morrisons vicariously liable it was actually making itself an accessory to Mr Skelton’s criminal plan but other case law holds that the motive of the wrongdoer is irrelevant when determining vicarious liability and thus there was no need to find otherwise.

So what can the prudent employer do to prevent something like this? It is probably unlikely that it will happen very often and the sentence handed down to Mr Skelton ought to make other employees think twice. Consideration should be given as to whether it would be possible to introduce controls on the transmission of data that would have prevented a rogue employee from being able to download it in the first instance, but it may well be that the safest course of action ultimately is for employers to ensure that they have cybercrime insurance in place if the worst does happen.