Morrisons liable for employee’s data breach

Posted on: October 26th, 2018

The Court of Appeal has confirmed that Morrisons are vicariously liable for an employee’s malicious data breaches, agreeing with the earlier decision of the High Court.

Last year Coffin Mew’s Employment Team updated you on this case concerning a Morrison Supermarkets’ employee who published the payroll data of approximately 100,000 of his fellow employees online. The High Court found Morrisons vicariously liable for the deliberate disclosure of the personal data by the devious employee, but gave Morrisons leave to appeal.

The Court of Appeal have this week reached their decision, confirming the High Court’s 2017 ruling that Morrisons should be held liable for the criminal exploitation of its data. This is despite the fact the rogue employee, Mr Skelton, has already been given an 8 year prison sentence for his actions. Overall, the judges have made clear that Morrisons are not being held liable for the way they handled personal data, but instead on the basis of vicarious liability for the malicious actions of their employee, Mr Skelton. This applied even though the employee’s motive was to harm Morrisons, rather to achieve some benefit for himself.

That being said, the Court highlighted that even though it would not have prevented the data breach, Morrisons’ data protection processes should have been made more watertight by ensuring the deletion of the data from Mr Skelton’s work computer as soon as it was no longer required. The Court also advised employers like Morrisons to insure against data breaches of this nature, to avoid potentially ruinous amounts. The case highlights the importance of strict data protection security measures, policies and procedures. In the wake of the GDPR coming into force earlier this year, this is even more important, particularly given the public’s increasing awareness of their personal data rights, as well as a change in the workplace culture surrounding data privacy.

With the responsibility for employee data falling on employers as data controllers, it is important that businesses apply stringent controls to reduce any potential risks posed by malicious employees. Controls may include:

  • Close monitoring of employees who have regular access to sensitive data;
  • Restricting the numbers of employees who have access to personal data for work purposes;
  • Close monitoring of employees who display abnormal behaviour, such as attending the office out of usual working hours;
  • Data security measures to detect activities which suggest the misuse of data, such as emails containing high levels of data;
  • Limiting the duration under which individuals have access to personal data for work purposes; 
  • Detailing the consequences of data breaches to employees who require personal data access for work purposes;
  • Introducing robust Data Protection and Data Breach Policies.

The Morrisons case serves as a reminder to employers that, if they have not already done so, now is the time to review data protection measures to ensure necessary steps are being taken to eliminate risks and safeguard the data they control.

If you would like further guidance on the impact and implementation of GDPR on your organisation, the Employment team has put together a comprehensive GDPR and HR package that we would be happy to discuss with you. You can contact our Employment team here.