Is an employer vicariously liable for the misuse of its employees' personal and confidential information by another employee's criminal conduct intended to harm the employer?
Yes, held the Court of Appeal in WM Morrison Supermarkets Plc v Various Claimants.
Mr Skelton, a senior IT internal auditor employed by Morrisons, was asked to send data to Morrisons external auditors in order to undertake the annual audit. He was convicted of fraud and offences under the Computer Misuse Act 1990 and s55 Data Protection Act 1998 ('DPA') for sharing employees' personal data online and disseminating a copy of that data to three national newspapers, in pursuit of a personal grudge against Morrisons.
Employees of Morrison's sought to hold Morrisons vicariously liable for Mr Skelton's misuse of their private information and breach of confidence and Morrisons personally liable for breach of statutory duty owed under s4(4) of the DPA.
The Court of Appeal upheld the decision of the High Court that Morrisons was vicariously liable. They rejected Morrisons contention that the DPA excluded the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence. And on the facts there was a sufficiently close connection between Mr Skelton's employment and his wrongful conduct for it to be just to hold Morrisons liable.
Importantly the Court did not accept that there is an exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer. Accordingly, Mr Skelton's motive in pursuing his actions was deemed irrelevant. On a practical level the Court suggested that employers should insure against data breaches committed by employees given the large potential liabilities involved.
Thanks to Georgina Churchhouse, pupil at 12KBW, for preparing this case summary.