Vicarious Liability for Data Breach

December 18, 2017

Morrisons staff are to be awarded a pay-out over a data breach that occurred, when a disgruntled former member of its staff stole the data of thousands of employees and posted it online. Morrisons has been found liable for the actions of the employee by the High Court with the ruling opening the possibility for 94,000 people affected to bring a compensation claim.

Workers brought a claim against the company after employee Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, stole the data, which included salary and bank details, of nearly 100,000 staff. He then posted the payroll information online and sent it to newspapers in 2014. He was jailed for eight years in July 2015 after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.

The Judge noted that it would be impracticable for Morrisons to routinely monitor all internet searches and that, even if it were feasible, it would have been disproportionately expensive. In any event, such monitoring would have been difficult to justify, since it would most probably amount to an unlawful interference with employees’ rights to privacy and family life, with little by way of balancing factor to suggest otherwise.

The test to establish vicarious liability was whether his actions were carried out in the course of his employment role in respect of payroll data, which was to receive and store it, and to disclose it to a third party (i.e. the external auditor). The fact that he chose to disclose it to others who were not authorised was nonetheless closely related to what he was tasked with doing. Although the disclosure took place outside working hours, and from his personal computer, there was a sufficient connection between the employee’s employment and the wrongful conduct, for it to be right to hold the employer liable.

Their lawyers said the data theft meant the group of 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws. They also said: “Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure. The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients. Data breaches are not a trivial or inconsequential matter”.

A second trial will be held to determine the amount Morrisons must pay in damages. This is despite the fact that the disgruntled employee’s intent was designed solely to damage his employer’s business and has therefore succeeded.

It is a difficult decision albeit the direction of the law is clear in making employers responsible as a matter of public policy.

Peter Stanway, our BackupHR™ legal expert comments:

The case demonstrates that employers can be held vicariously responsible for the acts, lawful and unlawful, of its employees. If nothing else the case may help some employers to come to terms with the seriousness of data protection as a new tougher law comes into effect in May.


  • Review your data protection policies and procedures against not only the current but forthcoming legal requirements.
  • Strengthen your internal (and outsourced) controls on access to data.
  • Train employees on data protection requirements.
  • Deal effectively with disgruntled employees. Risk assess what access they have to personal data. Consider locking down or minimising their access to data whilst their issues are being resolved.
  • Create a culture that values data privacy and allegiance to the organisation.

The guidance provided in this article is just that – guidance. Before taking any action make sure that you know what you are doing, or call us for a free initial chat on 01480 677980.