The information had been entrusted to Mr Skelton, a senior internal IT auditor. Apparently motivated by a grudge borne out of a verbal warning he had received, he downloaded the data onto a personal USB stick and later posted it to a file-sharing website and sent it to several newspapers. Mr Skelton was subsequently convicted of computer misuse offences and sentenced to 8 years in prison. Around 5,000 of the employees whose data had been unlawfully disclosed by Mr Skelton brought claims against Morrisons, arguing that it was vicariously liable for Mr Skelton's actions, as his employer.
The Court of Appeal has now confirmed that Morrisons is indeed liable, even though Mr Skelton's actions were plainly not authorised and despite Morrisons having put in place reasonable data security measures. The Court agreed with the trial judge that there was an 'unbroken thread' that linked Mr Skelton's work to his unlawful disclosure of the information and Morrisons was therefore vicariously liable for the disclosure. The Court was not swayed by arguments that this could expose businesses to financially ruinous claims based on data breaches: its advice to businesses was that they should take out insurance.
Mr Skelton's actions took place before the GDPR was in force but the strict obligations (and financial penalties) imposed by the GDPR make data security even more important. Businesses should ensure that all appropriate measures are put in place to protect confidential information and personal data, including protection against unauthorised downloads/use of personal storage devices, and that all staff are aware of the business' information security rules. Although such measures will not prevent a business being liable for unlawful disclosures by employees, they may make such disclosures less likely or enable unlawful activity to be detected earlier.