In November 2018, the Court of Appeal held that Morrisons was liable for a deliberate data breach committed by a rogue employee. In that case, the employee, Mr Skelton, was a senior auditor and posted personal data of 100,000 staff on the internet and sent the same information to newspapers with the intention of causing damage to his employer.
Morrisons appealed the decision, and the Supreme Court overturned it, holding that Morrisons was not vicariously liable for Skelton’s actions. Although ultimately Morrisons was not liable, the case nevertheless demonstrates the amount of damage that can be caused by an employee’s deliberate (or even accidental) lack of regard for confidentiality or data security.
When might employers be held liable for an employee’s actions?
The answer will depend on whether the employee’s wrongful act was ‘so closely connected’ to their job that it is fair and just to impose liability on the employer. Employers will be liable for an employee’s wrongdoing if it is closely connected to what they are ordinarily required to do as part of their role.
The question of when a wrongful act is ‘closely connected’ to an employee’s role is often a difficult one, especially if the wrongdoing results from the information that the employee had access to as part of their role. The Supreme Court in the Morrisons case noted that:
- it is not enough that the employee’s act was closely related to his role – it needed to form part of his functions;
- the employee was not furthering the business of the employer;
- close connection was not about timing – instead it related to the capacity in which Mr Skelton was acting;
- the employee’s motive was relevant – he was acting in his own personal capacity; and
- opportunity to commit the wrongful act was not sufficient to impose vicarious liability.
For the reasons set out above, the Supreme Court held that Skelton’s wrongful conduct was not so closely connected with acts that he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.
How does Covid-19 change things?
While many employees continue to work from home, office space will often be shared with those who do not work for the same company and may even work for competitors. This means employers don’t have the same level of control and cannot easily ensure the same standard of data security that applies as in a traditional office environment.
Confidential documents or conversations may be easily accessible to others who you would not normally allow into your office. Employees may also make personal use of technology, exposing the company to security risks.
As working from home continues for the foreseeable future, employers should take steps to minimise these risks; for example, by asking employees to:
- use headphones and/or a separate workspace for particularly sensitive calls;
- use privacy screens where appropriate;
- shred confidential documents;
- lock computer screens and not share technology computers with others; and
- take part in data security training refreshers – with a requirement to confirm compliance with guidelines.
These are challenging times and as we adapt to the new way of working, employers should clearly and sensitively communicate their expectations to staff.
Raoul Parekh is a partner and Deborah Margolis an associate at GQ|Littler