Is an employer responsible for the actions of an employee who has ‘gone rogue’ and deliberately posted sensitive employee data online?

Yes, said the Court of Appeal in a recent case against the supermarket, Morrisons.

Mr Skelton was an internal auditor at Morrisons. He had been recently disciplined and held a sizeable grudge against the supermarket giant. He stole sensitive personal data – including names, addresses, bank account details and the salaries of thousands of employees and posted it online. He then told newspapers it was there.

Mr Skelton was convicted of fraud and various other offences and sentenced to 8 years in prison. The employees sued Morrisons. Among other things, the employees claimed that Morrisons was vicariously liable for the actions of Mr Skelton in leaking the data.

The Court of Appeal agreed that Morrisons was vicariously liable. There was enough connection between Mr Skelton’s job role and acts he committed. Mr Skelton’s motive (to cause harm to the employer) was irrelevant. The Court highlighted that to conclude otherwise might leave an individual who suffered financial loss with no recourse except against the perpetrator. The Court advised that employers should ensure against the risk of losses caused by dishonest or malicious employees.

This is a worrying case for employers. The safe storage of personal data is vital for employers. Insurance should be secured if it is not already in place. The actions of even the most trusted employees should be monitored. Particular attention should be paid to employees who might bear grudges due to recent disciplinary or grievance proceedings.