The supermarket chain Morrisons, has been found to be vicariously liable for an employee’s data breach, in a decision which extends the scope of vicarious liability. A senior IT auditor at Morrisons, named Skelton, unlawfully copied confidential payroll data—to which he had access for limited legitimate purposes—and uploaded it to a file-sharing website. He then anonymously contacted several newspapers to alert them to the newly uploaded material.

Skelton was found guilty of multiple criminal offences and sentenced to eight years’ imprisonment. The 5,518 Morrisons employees, whose payroll data had been unlawfully disseminated, brought a civil claim against supermarket chain. It is a rare example of a class action-type claim in the UK.

The court found that Morrisons’ only primary fault under the Data Protection Act 1998 (DPA) was a failure to discharge their duty to take “appropriate technical and organisational measures . . . against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Morrisons should have had more robust checks in place to ensure confidential data was deleted after any temporary use outside of its database. But, on the facts, this was not causative or contributive to the claimant’s loss. Skelton had copied the data to his personal USB stick before it would have been deleted, even if the satisfactory checks had been in place at the time.

Despite the court finding no direct fault on the part of Morrisons, the illegal uploading of the data by Skelton was enough to render the supermarket chain vicariously liable. In other words, since Skelton was its employee, there was little Morrisons could have done.

The concept underpinning this is termed “enterprise risk”. Where an enterprise creates risk through its operations—regardless of the likelihood, if such risk materialises, the enterprise should pay.

In order to establish vicarious liability in the employment context, the employee must be acting “within the course of his or her employment” at the time of the wrongdoing. A great deal of caselaw has been devoted to trying to clarify this, but each case decision was heavily fact-sensitive, which allowed the court in this case to have considerable discretion in reaching its judgment. Of particular concern to employers as a result of this decision will be the court’s judgment that “the issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall”.

While companies may already have insurance in place in respect to breaches of the DPA, this should be re-examined given the advent of the GDPR on 25 May 2018. In light of this court decision, businesses would be well advised to more generally consider their insurance protections in relation to vicarious liability claims.

In its judgment, the court expressly granted the defendant permission to appeal in relation to the finding of vicarious liability, which Morrisons intends to do.