What does Morrisons data breach mean for employers?

A former employee leaked the personal info of 100,000 workers

What does Morrisons data breach mean for employers?

In the news last week, Morrisons – a UK-based supermarket chain – lost a High Court challenge asserting its liability for an employee data breach.

The Court of Appeal upheld an earlier decision issued in December of last year.

The case involved Andrew Skelton, then an internal auditor for the company, leak the personal information of 100,000 employees – including salary and bank details. Skelton was jailed for eight years after being found guilty of fraud in 2015.

A spokesperson for Morrisons commented: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he's been found guilty for his crimes. Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

This is reportedly the first data leak class action in the UK, according to the BBC, and it will undoubtedly have peaked the interested of global organizations, perhaps prompting them to consider how they store their workers’ info.

Speaking on the legal aspect of the case, Toni Vitale, head of regulation, data and information at Winckworth Sherwood, added: “Morrisons failure to overturn the High Court ruling that it should be liable for the actions of its rogue employee raises interesting questions about how far courts will go to find employers liable for the actions of their staff.  This is called ‘vicarious liability’ and turns on whether the actions of the employee are undertaken during the course of their employment. 

"Although the employee ‘grossly abused’ his position, the court found that while he was not authorized to disclose the information to other parties, his actions were nevertheless ‘closely related’ to his role. The judge commented that when the employee received the data, he was acting as an employee, and the chain of events from then until disclosure was unbroken. Morrisons had entrusted him with the data and took the risk that they might be wrong in placing trust in him. 

"How can employers protect themselves against this liability? Background checks, monitoring and spot checks are all permissible in the UK if there is sufficient transparency and employees are told it is happening. The key thing is to treat your staff well and do not just monitor them at the outset.  Many of these cases start from a disgruntled employee.

“Employers should invest in Speak-Up programmes to allow staff to informally and formally raise grievances and these should be handled fairly.

“Also a one-off back-ground check is often only undertaken before employment commences.  Consider making these standard for all promotions or where new roles and responsibilities are offered.”