What's going on at Oliver & Co

Morrisons Data Leak: The Worrying Implications for Employers

Posted on October 24th 2018

With potentially significant implications for employers across the UK, Morrisons have lost their appeal against a ruling which finds them partly liable for a data breach committed by a disgruntled employee.

The data breach:

In 2014, one of Morrisons’ Senior Auditors, Andrew Skelton, leaked the payroll data of over 100,000 employees. This included their names, addresses, bank account details and salaries. In 2015, Mr Skelton was jailed for eight years for the breach.

The court case:

Following the breach, 5158 of Morrisons’ affected employees went to court to seek compensation. They stated that the breach had caused them distress and exposed them to possible identify theft and financial loss. They argued that Morrisons as a company was responsible for the breaches of privacy, confidence, and data protection laws.

In response, Morrisons argued that they were, “not vicariously liable for the criminal misuse of data.” However, the appeal judges disagreed. Morrisons have stated that they now plan to appeal to the Supreme Court.

Following the Court ruling they stated;

“Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”

The implications for employers across the UK:

Clearly, this outcome of this case could prove problematic for employers. The ruling suggests that employers can be considered vicariously liable for the criminal actions of their employees, even when those actions are unpreventable and are malicious against the company themselves.

Mr Skelton did not gain access to the data as a result of weak security at Morrisons HQ. On the contrary, Mr Skelton had access to the data as part of his role at the company.

If the ruling is upheld in the Supreme Court, Morrisons could end up paying a very large amount of compensation to all affected employees. Even £1,000 worth of compensation to each claimant could rack up a bill of over £5 million.

The Appeal Court Judges suggest that the answer to this is for businesses to have stringent insurance in place. However, especially for smaller businesses, insurance cannot cover the immeasurable damage that such data breach claims can have on a firm’s reputation.

How can we help?

Do you need legal advice regarding data protection? Contact us today on 01244 312306 or visit our data protection page here.

Call and speak to a lawyer on 01244 312306