The risk of liabilities arising from a large-scale data breach is enough to keep many a business owner awake at night. But what happens if a disgruntled employee purposely discloses personal information with a view to harming their employer? Can the employer nevertheless be held responsible? A recent case concerning Morrison Supermarkets considered the point.
This dispute arose when Andrew Skelton, a senior IT auditor, purposely disclosed the personal data of around 100,000 fellow Morrisons employees. He was aggrieved at the fact that he had previously been issued with a verbal warning for allegedly ‘abusing’ the company’s postal system. Mr Skelton was successfully prosecuted for breaches of both the Data Protection Act 1998 and the Computer Misuse Act 1990. However, a question then arose as to who should be liable for any compensation payable to those colleagues affected by the data breach.
High Court Judge Langstaff concluded that Mr Skelton’s behaviour was sufficiently closely related to his employment for his employer (Morrisons) to be vicariously liable for his actions. Judge Langstaff found that Mr Skelton’s motives were irrelevant; it did not matter that he held a grudge against Morrisons and was purposely trying to damage the supermarket’s interests.
In some respects, this decision sits a little uncomfortably with us. After all, whilst Mr Skelton will undoubtedly suffer as a result of his criminal prosecution he has, in a manner of speaking, got his wish. His actions are likely to result in Morrisons being responsible for considerable compensation claims from affected staff members. Having said that, without the protection of vicarious liability, the true victims of Mr Skelton’s behaviour (i.e. his fellow employees) could go uncompensated. We have to bear this in mind.
Interestingly, Morrisons have been given permission to appeal this decision. So, this may not be the last we have heard of this particular dispute.