The Implications of the Appeal Court's decision on Morrison's Data Breach case

Morrison’s, the supermarket chain, has been granted permission to appeal to the Supreme Court following the Appeal Court’s decision to uphold the High Court’s decision that Morrison’s is vicariously liable for the data breach carried out by a disgruntled former employee in the class action Various Claimants versus William Morrison Supermarkets PLC. Giambrone’s commercial lawyers suggest that all employers would do well to take notice of this case, the first where vicarious liability applies to data protection and the first employee class action relating to data protection.

The rising awareness of data protection by the public coupled with the greater ease that the UK Data Protection Act 2018 and the EU General Data Protection Act 2016 (GDPR) provides for individuals to bring claims for data breaches makes litigation a very real possibility in certain circumstances. 

The Morrison’s case arose when their internal auditor, Andrew Skelton, was given a verbal warning due misconduct; his reaction was to covertly copy the data from the payroll for nearly 100,000 Morrison’s employees on to a USB stick. Following his exit from Morrison’s some time later at his own home, Mr. Skelton posted the personal data he had stolen on a file-sharing website. The local press received a tip-off and the breach was revealed. Mr. Skelton was charged with offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 and received a sentence of eight years. Subsequently, 5,518 Morrison’s employees, whose data had been breached, joined group litigation against Morrison’s for misuse of private information, breach of confidence and breach of the Data Protection Act.

So far Morrison’s has not, so far, been successful in persuading the courts that the company is not vicariously liable for the actions of their former employee; it remains to be seen what the Supreme Court decides. However, as it stands at the moment, employers should be thinking very seriously about how they safeguard all personal data held by the company, not just that of their customers. Also, serious attention should be paid by businesses to the internal threats posed by a rogue employee’s potential for malicious acts against the company as the company can be held liable for their employees’ harmful and malicious acts.

There are steps that can be taken to protect the business:

• Comprehensive vetting of all staff that have access to sensitive confidential information, including existing staff who may be promoted into positions of trust and new staff;
• Thorough wide-ranging policies regarding the confidentially of data that are easily understood by all employees;
• Close continuous monitoring of the way employees charged with handling sensitive are so doing;
• Adequate training with regard to data security rules where appropriate;
• Regular updates on policies as it becomes necessary, which are seen to be properly communicated to all staff;
• An embargo on the use of personal devices to copy sensitive data;
• An obligation for all staff to act decisively should they observe inappropriate access or copying of sensitive data;
• Forewarning of the legal consequences of any breaches by employees for any purpose;
• Insurance policies against financial losses due to misconduct by employees.

Being seen to introduce strict policies surrounding client and employee personal data will provide a warning shot for any disaffected employee who seeks revenge by deliberately creating a breach in the hope of causing harm to their employer. It is far easier to prevent than attempt to cure.

For further information about protecting your business against employee actions please click here.