Employment Law Solutions. Expert advice... more personal

Employer liable for rogue employee’s data breach

The Court of Appeal in the case of Morrison Supermarkets Plc v Various Claimants has held that Morrisons was vicariously liable for a rogue employee’s intentional disclosure of his colleagues’ personal data.


Mr Skelton was employed by Morrisons as a Senior IT Internal Auditor. He had been subject to disciplinary action in the past and because of this, apparently held a grudge against his employer.

When Mr Skelton was asked to transfer payroll data of staff (including names, addresses, bank details, salary information and national insurance numbers) to an external auditor, he took the opportunity to also copy this personal information of around 100,000 of Morrisons employees onto a personal USB. Mr Skelton proceeded to hold on to the personal information on the USB until just before Morrison’s financial reports were announced, when he then went on to upload the data on to a file sharing website in pursuit of his personal grudge.

Mr Skelton was convicted under the Computer Misuse Act 1990 and the Data Protection Act 1998 and imprisoned for 8 years. However, around 5,500 employees affected by the data breach also brought claims for damages against Morrisons for breach of the Data Protection Act and argued that Morrisons could be vicariously liable for Mr Skelton’s conduct misuse of private information.

In its defence Morrisons argued that it could not be vicariously liable for Mr Skelton’s acts as they did not occur in the course of his employment.

The Law

Employers can be liable for torts committed by an employee where there is a sufficient connection between the employment and the wrongdoing. There is a two stage test:

  • Is there a relationship between the primary wrongdoer and the person alleged to be liable?
  • Is the connection between the employment and the wrongful act or omission so close that it would be just and reasonable to impose liability?


The High Court and Court of Appeal both agreed that Mr Skelton’s actions were “a seamless and continuous sequence of events” which meant that there was a sufficient connection between his employment and the publishing of the personal data to make it just and reasonable to find Morrisons vicariously liable.

The Court of Appeal also considered Morrisons argument that it should not be held vicariously liable when Mr Skelton’s motive had been to harm his employer. However, it held that the motive of the employee was irrelevant to the issue of vicarious liability.


This decision will be concerning for all employers as even if appropriate data protection policies and procedures are in place and the business has committed no wrongdoing itself, it could still be vicariously liable for the intentional acts of one rogue employee.

The potential financial consequences for employers in such a scenario could be significant and the Court of Appeal suggested that employers should insure against the risks of the “potentially ruinous” impact that such a data breach could have on a business. It is therefore advisable for all employers to begin checking their insurance policies to see if they are covered in the event of data breaches by employees.

This entry was posted in Law. Bookmark the permalink.

Comments are closed.