Data Protection: Was an Employer Liable for an Employee's Malicious Data Breach

In Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC3 113 (QB), the High Court considered whether an employer was liable for an employee’s malicious disclosure of personal data belonging to other employees. This case is significant as it is the first group litigation case about data breach to come before the U.K. courts.

Mr Skelton was employed by WM Morrisons Supermarket plc (Morrisons) as an internal auditor. Feeling aggrieved about a disciplinary process against him several months earlier, he published the payroll data of some 100,000 other employees online and sent it to various newspapers. Mr Skelton was sentenced to eight years in prison for criminal misuse of the payroll data. Upon discovering the misuse, Morrisons took steps to protect the affected employees from any potential loss arising from it. However, around 5,500 employees brought claims against Morrisons relating to the misuse of their personal data.

The High Court found that Morrisons was not at fault in respect of Mr Skelton’s misuse of the data. Nevertheless, the High Court held that Morrisons was vicariously liable for the actions of Mr Skelton because they had occurred during the course of his employment. In coming to this decision, the Court took into account a number of factors, including that Mr Skelton had been given access to the payroll data through his work and Morrisons had deliberately entrusted him with it. The High Court gave Morrisons the right to appeal.

This case will be of concern to employers and highlights the fact that they should have in place up to date and appropriate data protection policies and procedures. This is particularly important in light of the General Data Protection Regulation which will come into force in May 2018 and significantly increase the consequences of data protection breaches.