The High Court has recently decided that a company can be held liable for the criminal actions of a rogue employee who discloses personal information about other employees on the internet. This was decided following a claim brought against the supermarket, Morrisons. (Various Claimants v WM Morrisons Supermarkets PLC [2017] EWHC 3113 (QB)).

On 12 January 2014 a file containing personal details of 99,998 employees of Morrisons was posted on a file sharing website and links to the website were placed elsewhere on the web. The data included individuals names, addresses, dates of birth, phone numbers, bank details and salary. Morrisons were first alerted to the disclosure on 13 March 2014 and within a few hours the website was taken down and the police notified. Investigations showed that the data had almost certainly been derived from data held centrally by Morrisons which only a limited number of employees had access to. A record of log in details revealed the identity of the “super user” under whose log in the data had been extracted. That person was arrested but it was quickly established that he was innocent. A senior IT auditor in Morrisons employment was subsequently arrested and found guilty of fraud under the Computer Misuse Act 1990 and Data Protection Act 1998. He was sentenced to 8 years imprisonment. The auditor had previously been disciplined during his employment and given a formal warning. This appeared to be the reason behind the auditor’s decision to leak the data.

5,518 of the employees of Morrisons whose data was disclosed claimed compensation from Morrisons under the Data Protection Act 1998 and at common law on the basis that Morrisons were liable for the actions of one of their employees harming his fellow workers. This is known as vicarious liability.

Morrisons did not misuse the data nor permit it by any carelessness on their part. The vicarious liability doctrine holds a company liable then it must be wrongful acts of an employee even though the company is free from blame. When deciding whether a company is vicariously liable for an employees conduct The Court needs to balance two conflicting interests: on the one hand, there is a social interest in providing an innocent victim with a recourse against a financially responsible defendant; and on the other hand, a hesitation to place undue burden on a business enterprise.

The judge held that Morrisons deliberately entrusted the payroll data to the person who uploaded and shared it on the internet. Dealing with the data was a task specifically assigned to him as part of his work duties. He was trusted to deal with it safely. Morrisons took the risk that they might be wrong in placing the trust in him. The fact that the auditor may have been motivated by a grudge was not a defence to an argument of vicarious liability, the grudge was work related.

In previous Court cases involving arguments of vicarious liability the fact that an act was done for the employer’s benefit (albeit not as the employer instructed or would have wished) was highly relevant to a conclusion that the act was within the course of employment. But in this case the act was taken deliberately to harm, rather than benefit, Morrisons. This argument in other cases has not been held to be a sufficient defence to an argument of vicarious liability. The Judge decided that the issue is not so much one of whom the conduct was aimed at (it was clearly aimed to harm Morrisons), but rather upon whose shoulders it is just for the loss to fall. An employer who places an employee in a position where he can misuse information or data still has the right to control and design systems to prevent misuse occurring.

Morrisons are more likely to have the means to compensate victims and can be expected to have insured against that liability. The High Court Judge decided that there was sufficient connection between the position in which the auditor was employed and his wrongful conduct. Placing the auditor in the position of handling and disclosing the data as he was by Morrisons is sufficient to make it right for Morrisons to be held liable under the principle of social justice.

The judge did not consider that Morrisons were primarily liable for the breach of confidentiality in disclosing the data, but that they would be vicariously liable under the Data Protection Act 1998 for the conduct of their rogue employee. The Judge admitted that he was troubled by the argument that the wrongful acts of the auditor were deliberately aimed at Morrisons and to find them vicariously liable is doing further harm to them and effectively furthering the criminal aims of the rogue employee. He therefore granted permission for Morrisons to appeal for further consideration of the vicarious liability argument should they wish to do so.

UPDATE – This decision has been appealed – see https://irhlegal.co.uk/blog/data-protection-morrisons-round-2/