29 January 2019
The Court of Appeal has upheld the decision of the High Court, confirming that Morrisons supermarket is vicariously liable for an internet disclosure made by one of its employees, which divulged the personal details of nearly 100,000 of his colleagues.
The employee, a senior IT auditor, took the data from the payroll and posted it on a file sharing website. The data shared included names, addresses, bank account details and salaries of employees. He was motivated by a grudge against his employer for a previous disciplinary incident.
5,500 affected employees commenced group litigation, bringing a claim against Morrisons for primary and vicarious liability.
The High Court ruled that Morrisons were not directly liable as they had not themselves misused any private information and they had adequate data security measures in place. However, the court found that Morrisons were vicariously liable for the employee’s actions. Morrisons appealed. The Court of Appeal dismissed the appeal on the basis that the High Court were correct to hold that the common law remedy of vicarious liability of the employer in such circumstances was not expressly excluded by the Data Protection Act 1998.
Whilst the liability of Morrisons is in line with legal principles, the decision begs the question- is it fair that an employer incurs significant liability for the actions of a rogue employee with a chip on their shoulder? Irrespective of the fact that the said employer had control mechanisms in place to prevent this type of situation from arising?
The consequences for companies, especially for SMEs could be catastrophic. The Court of Appeal said that the solution here for employers lies in being properly insured against losses caused by dishonest or malicious employees.
There is an element of irony that the employee got what he set out to do- cause disruption and harm to Morrisons. Morrisons now face the prospect of having to pay compensation to more than 5,000 staff. The employee himself however was criminally charged and convicted for fraud under the Computer Misuse Act 1990 and under the Data Protection Act 1998, currently serving an eight-year sentence.
Morrisons have announced that they plan to appeal the decision to the Supreme Court.