Business responsibility of a rogue employee
Is an employer responsible for the actions of an employee who has 'gone rogue' and deliberately posted sensitive employee data online?
Yes, the Court of Appeal has said in Morrisons v Various Claimants. Mr Skelton was an internal auditor at Morrisons. He had been recently disciplined and held a grudge against the company. He took sensitive personal data relating to thousands of employees, posted it online and disseminated a copy of the data to three national newspapers. The data included names, bank details and salary information.
Mr Skelton was convicted of fraud and various other offences. He was sentenced to 8 years in prison. The employees sued Morrisons. Among other things, the employees claimed that Morrisons was vicariously liable for the actions of Mr Skelton in leaking the data.
The Court of Appeal agreed that Morrisons was vicariously liable. There was enough connection between Mr Skelton's job role and the conduct in question. Mr Skelton's motive (to cause harm to the employer) was irrelevant. The Court highlighted that to conclude otherwise might leave an individual who suffered financial loss (because of a data breach) with no recourse except against the perpetrator. The Court advised that employers should insure against the risk of losses caused by dishonest or malicious employees.
This is a worrying case for employers. The safe storage of personal data is vital for employers. Insurance should be secured if it is not already in place. The actions of even the most trusted employees should be monitored. Particular attention should be paid to employees who might bear grudges due to recent disciplinary or grievance proceedings.