Morrisons held responsible for mass data breach committed by disgruntled employee


Author: Michelle Waknine


Morrisons face having to pay compensation to thousands of employees, following a recent decision of the High Court that the UK’s fourth largest chain of supermarkets was vicariously liable for a rogue employee leaking payroll information online.

This decision follows the outcome of the first class action concerning a data breach in the UK, brought by over 5,500 of Morrisons’ employees seeking compensation in respect of the online publication in 2014 of a file containing personal details of 99,998 employees. The data included names, addresses, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details.

The data had been posted on a file-sharing website by a senior IT auditor employed by Morrisons, Andrew Skelton, who had become disgruntled after being temporarily suspended and receiving a formal verbal warning following the discovery of his sideline in distributing a (legal) slimming drug. He felt this was unjustified. Over a period of months, Skelton was found to have taken steps to secretly lift the data and post it online. Once the leak was spotted, Skelton was arrested and charged with offences under the Computer Misuse Act 1990 and Data Protection Act 1998 (DPA) for which he was convicted and sentenced to 8 years’ imprisonment. The Morrisons’ staff who were affected by the leak commenced court proceedings against Morrisons.

The courts acknowledged Morrisons’ efforts to defuse the situation and the data security systems they had in place (within a few hours of discovery Morrisons had alerted the police and taken steps to ensure that the data had been removed online). Accordingly, the court found that Morrisons were not in breach of the Data Protection Act 1998 (DPA), the tort of misuse of private information, or liable for breach of confidence themselves.  However, Morrisons were found to be vicariously liable on all of these grounds as a result of Skelton’s (albeit criminal) actions as their employee. Vicarious liability is where persons are liable for the acts of others even when they have not done anything wrong themselves. It has long been established that employers may be vicariously liable for the actions of their employees if there is a sufficient connection between the employee’s wrongdoings and their employment.

Morrisons argued that they were not “on the field” for vicarious liability since they could no longer be considered as “data controller” for the purpose of the DPA in respect of the data leaked by Skelton, however this was rejected. The court held that the question was not whether Morrisons did wrong, but whether, when Skelton misused the information, his acts were “closely connected” with his employment.

The court concluded that Morrisons had entrusted Skelton with the payroll data. Dealing with the data was a task specifically assigned to him and, day in and day out, he was in receipt of information which was confidential or to have limited circulation only. Morrisons took the risk they might be wrong in placing trust in him, and they were therefore held responsible.

One concern expressed by the court is that by deciding in favour of Morrisons’ employees, this could be viewed as making Morrisons an “accessory” in furthering Skelton’s “criminal aims” of harming Morrisons. Accordingly, the court has granted Morrisons leave to appeal, and it is understood that Morrisons are intending to appeal the decision.

From a data protection perspective, this decision raises interesting issues and could open a can of worms in respect of data processing contracts (between e.g. companies and suppliers who deal with data on their behalf) and the allocation of liability between the parties in respect of the acts of employees.

The decision has also triggered major concerns for data controllers, particularly of large scale organisations, as the case leaves a rogue-employee-shaped gaping hole in the ability to guard against risks of data security breaches.

It is interesting however, to note the court’s indication that a higher standard is expected as to the measures implemented to protect data relating to 100,000 employees than is expected of a small enterprise employing six or seven workers. This emphasises the importance (particularly in anticipation of the General Data Protection Regulation coming into force in May 2018) of implementing systems that are appropriate and specifically tailored to the size and nature of the business, rather than adopting a generic “tick-box” approach, and for businesses to re-evaluate the extent to which it is necessary for employees to be granted unlimited access to data.

Michelle Waknine, Associate, Fladgate LLP (mwaknine@fladgate.com)

Louise Gibson, Associate, Fladgate LLP (lgibson@fladgate.com)

Would you like to hear more?


View by author: