The risk of liabilities arising from a large-scale data breach is enough to keep many business owners awake at night. But what happens if a disgruntled employee purposely discloses personal information with a view to harming their employer? Can the employer nevertheless be held responsible? A recent case concerning Morrisons Supermarkets considered the point.

The facts

This dispute arose when Andrew Skelton, a senior IT auditor, purposely disclosed the personal data of around 100,000 fellow Morrisons employees. He was aggrieved at the fact that he had previously been issued with a verbal warning for allegedly ‘abusing’ the company’s postal system. Mr. Skelton was successfully prosecuted for breaches of both the Data Protection Act 1998 and the Computer Misuse Act 1990. However, a question then arose as to who should be liable for any compensation payable to those colleagues affected by the data breach.

The decision

‍High Court Judge Langstaff initially concluded that Mr. Skelton’s behaviour was sufficiently closely related to his employment, such that his employer (Morrisons) should be held vicariously liable for his actions. Judge Langstaff found that Mr. Skelton’s motives were irrelevant; it did not matter that he held a grudge against Morrisons and was purposely trying to damage the supermarket’s interests. However, following an appeal to the Supreme Court, the most senior judges in the UK have found that an employee is not acting in the course of his employment when pursuing a ‘personal vengeance’ of this sort. As a result, the Supreme Court concluded that Morrisons are not vicariously liable for Mr. Skelton’s actions.

A fair decision?

In many respects, this seems like the right decision. However, it begs the question as to how the true victims of Mr. Skelton’s behaviour (i.e. his fellow employees) secure appropriate compensation if the company cannot be held liable. What do you think about this decision? Please get in touch and let us know; we’d be interested to hear your thoughts.