Supermarket Chain Vicariously Liable for Errant Employee’s Data Breaches

In a landmark decision that should make every employer sit up and take notice, the Court of Appeal has ruled a supermarket chain indirectly liable for the misdeeds of an errant employee who leaked its payroll data onto the Internet.

The IT worker bore a grudge against the chain and used a USB stick and a laptop computer to place personal details of almost 100,000 employees on a file sharing website. After the leak was tracked to him, he was convicted of fraud, together with offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA), and was sentenced to eight years’ imprisonment.

After lawyers representing over 5,000 affected employees launched proceedings, a judge found that the chain had not directly misused, or authorised or carelessly permitted the misuse, of any of the relevant data. However, it found on the facts of the case that the IT worker’s nefarious actions were sufficiently closely connected to his employment as to render the chain vicariously liable.

In challenging that decision, the chain argued that it, rather than its staff, was the IT worker’s intended victim and that the judge’s ruling had enabled him to achieve his objective of harming its interests. The finding of vicarious liability would place an enormous burden on the chain and other employers who found themselves in a similar situation.

In dismissing the appeal, however, the Court found that the common law remedy of vicarious liability is neither expressly nor impliedly excluded by the terms of the DPA. It noted that, if the chain’s arguments were correct, a hypothetical employee who had money stolen from his bank account as a result of a data leak by a co-worker would have no remedy, save against the wrongdoer personally. Noting the large number and huge scale of recent corporate data breaches, the Court observed that it is incumbent on those exposed to potentially catastrophic losses to take out appropriate insurance. The Court’s decision opened the way for the affected employees to seek compensation from the chain in respect of any losses suffered.