The Court of Appeal has rejected Morrisons’ argument that it should not be liable for the criminal conduct of a rogue employee.
In this case, a Morrison’s employee Andrew Skelton, leaked the private and confidential information of almost 100,000 Morrisons staff. Despite the fact that Mr Skelton had gone rogue, had committed a criminal offence by way of the breach and had specifically set out to cause Morrisons damage, the Court unanimously held that it was correct to hold Morrisons liable for the data breach. The rational being that the Data Protection Act 1998 was intended to provide greater protection for data subjects, and accordingly it did not impliedly exclude vicarious liability.
The potential reach of liability for unlawful acts may also extend to directors as well as the employer. In another recent case Timis & Sage v Osipov  EWCA Civ 2321, it was held that both the employer and the Directors were jointly liable for detriment suffered by an employee who had been dismissed following the making of a protected disclosure.
Amy Bradbury, one of our data protection lawyers, said “Morrisons demonstrates the exposure which companies have to the actions of rogue employees who cause data breaches. The Court of Appeal indicated that such breaches could now “lead to a large number of claims for potentially ruinous amounts”, so it is unsurprising that Morrisons have sought permission to appeal to the Supreme Court.”