Morrisons Held Vicariously Liable for Rogue Employee's Data Leak

In a workplace context, an employer can be found liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment – i.e. where there is sufficient connection between the employee's position and the wrongful conduct to make it right for the employer to be held responsible.

In the first class action in the UK arising from a data leak (Various Claimants v WM Morrisons Supermarket plc), the High Court has ruled that an employer can be held liable for the criminal actions of a rogue employee in breach of the Data Protection Act 1998 (DPA).

The data in question was leaked by an IT specialist who worked for Morrisons as a senior internal auditor. He bore a grudge against the supermarket chain after an unrelated incident that had resulted in disciplinary action. He had access to the company's personnel files as employees' payroll data was needed for an audit. He later copied details – including names, addresses, dates of birth, telephone numbers, bank details and salaries – of almost 100,000 of his fellow workers and placed them on a file-sharing website.

Morrisons learned of the leak after a CD containing a copy of the data was sent to three newspapers. Concerned that the leak might expose its staff to fraudulent 'phishing' or identity theft, the company took swift and effective steps to remove the data from the Internet. The perpetrator was subsequently identified and convicted of offences under the Computer Misuse Act 1990 and the DPA. He was given an eight-year prison sentence.

More than 5,500 of the affected employees lodged damages claims against Morrisons, alleging that it was both directly and indirectly liable for the IT specialist's actions. The company was alleged to have breached its strict duties under the DPA to protect its employees' personal data. Other claims of misuse of personal data and breach of confidence were also pursued.

The Court noted that any system that permits human access to data involves inevitable risks. Morrisons had in place internal checks and had taken appropriate steps to protect the data by limiting access to a few trusted employees. There was no way it could have known of the IT specialist's intentions and there had been no failure to provide adequate and proper controls. The company's sole failing was that it did not have an organised or failsafe system in place for the deletion of data stored on individual workers' computers.

Nevertheless, the Court found Morrisons indirectly – or vicariously – liable for the IT specialist's criminal acts. It had deliberately entrusted him with its payroll data and he had been put in a position where he could handle it and disclose it to third parties. There was a sufficient connection between his job and his wrongful conduct to make it just for the chain to be held liable.

The Court's ruling has opened the way for the claimants to seek compensation. However, in granting Morrisons permission to challenge its decision before the Court of Appeal, the Court noted that the company was itself the primary target and victim of the embittered IT specialist's actions. The result of the case could be viewed as the Court acting as a 'witting instrument of the criminal' in the furtherance of his criminal objectives.