The Court of Appeal recently upheld a decision against Morrison Supermarkets that it was liable after a rogue employee deliberately published confidential payroll data on the internet. A group of over 5,000 employees have pursued damages against the company for the distress caused by their personal details being made publically available.

The culprit was employed by Morrisons as an internal IT auditor. He held a grudge against the company having received a disciplinary warning a few months earlier. Part of his auditing role involved acting as an intermediary with the external auditors, who on this occasion had asked him to supply a copy of payroll records. Having received a copy of the company’s payroll data on a USB device from a HR colleague, he made a copy on his work computer before forwarding the USB device to the external auditor.

A few weeks later, he downloaded the data to a personal USB drive and took it home. Then he published it online from home. On the public website he masqueraded as another employee in an attempt to divert attention to a colleague. A few weeks later, when he realised nobody had spotted the data, he wrote anonymously to three newspapers pretending to be a concerned employee with a link to the web site. The newspapers did not publish the story, but instead informed Morrisons. The company acted immediately to have the data removed from the website, as well as taking other measures to deal with the data breach.

A group of 5,518 claimants pursued a claim of primary liability against Morrisons for the unlawful disclosure. They also lodged a second claim, in the alternative, that the company was vicariously liable. The principle of vicarious liability can apply where a wrongdoer commits an act on behalf of another. The most common example of this would be an employer being liable for the wrongful acts of their employees.

The High Court rejected primary liability against Morrisons, but the claimants succeeded on the issue of vicarious liability. There was a sufficiently close connection between the employee, the role they were employed to do, and the wrongdoing.

The Court of Appeal has upheld the High Court decision. In particular, they noted that Morrisons deliberately entrusted the employee with the payroll data. It was not merely data to which he had access via the network. Dealing with the data was a task specifically assigned to him. His actions were all part of a deliberate plan, although the court accepted it was an unusual case where the objective was not financial gain, but simply to cause harm because of his personal grudge.

The solution suggested by the court was insurance. As the court stated: “The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.”

This decision could have serious implications for employers who may be vicariously liable for misuse of data by a rogue employee. Morrisons have already stated they intend appealing further to the Supreme Court.

If you need to take advice on best practices regarding Data Protection, please do not hesitate to contact our expert team on 0161 941 4000 or by email lawyers@myerson.co.uk.