The test for whether an employer can be found vicariously liable for acts of an employee is whether the employee is acting “in the course of their employment”, and whether the specific events are so closely connected with the employment that it would be fair and just to hold the employer vicariously liable.
In the case of WM Morrison Supermarkets v. Various Claimants an internal auditor was aggrieved having undergone a disciplinary process. He sought revenge against Morrisons by publishing the personal payroll data (including sort codes, account numbers and National Insurance information) of over 100,000 colleagues on the internet. He was personally tracked down, and imprisoned for his offences, but a number of the victims sought damages against Morrisons. Whilst the supermarket was not directly liable, and had taken appropriate measure to prevent data leaks, the Court of Appeal found Morrisons to be vicariously liable for the actions of its employee. He had clearly been entrusted with payroll data in his role, and although the leak was conducted using his personal computer outside his usual working hours, there was a sufficiently close connection with his employment upon which to base liability. The Court stressed that the employee’s malicious motive was irrelevant, and while it recognised that this could cause significant damage to an employer (which was precisely what had been intended by the employee), it suggested that the solution for employers is to insure against such wrongdoing.
This is a significant judgment with very far reaching implications for employers, and it will be nigh impossible to stop a determined, disgruntled employee from doing similar. Morrisons has indicated it will appeal the decision, but in the meantime employers should check their insurance policies, and also review their data security standards to do all they can to reduce their risk.
Link to Judgment: www.bailii.org/ew/cases/EWCA/Civ/2018/2339.html