Employers should be cautious following Morrisons data ruling
Legal experts have warned that employers should be cautious following the Morrisons data breach verdict?
Morrisons lost a challenge to a High Court ruling stating that it is liable for a data breach that saw thousands of its employees' details posted online by a disgruntled employee. The Court of Appeal upheld the original decision against the supermarket, issued in December 2017.
Workers brought a claim against the company after employee Andrew Skelton stole the data, including salary and bank details, of nearly 100,000 staff.
Morrisons said it will now appeal to the Supreme Court. If this fails those affected will be able to claim compensation from the supermarket for 'upset and distress'. The case is the first data leak class action in the UK.
It follows a security breach in 2014 when Skelton, then a senior internal auditor at the retailer's Bradford headquarters, leaked the payroll data of employees. Skelton posted the information – including names, addresses, bank account details and salaries – online and and sent it to newspapers.
He was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material. and disclosing personal data.
The High Court said Morrisons was 'vicariously liable for the torts committed by Mr Skelton against the claimants'.
Nick McAleenan, a partner in the media law team at JMW Solicitors, who was representing the claimants, said they were "delighted" with the outcome.
"These shop and factory workers have held one of the UK's biggest organisations to account and won – and convincingly so," he added. "This latest judgement provides reassurance to the many millions of people in this country whose own data is held by their employer."
Morrisons said in a statement after the hearing: 'A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he's been found guilty for his crimes [...]
'Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. We are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible, so that's why we will now appeal to the Supreme Court.'
Nicola Fulford, a partner in Hogan Lovells' privacy and cyber security practice, said that employers should proceed with caution when dealing with personal data following this verdict: "[The] ruling serves as a sharp reminder of the importance of securing personal data and it is clear that the risks of class actions and of damages for distress for personal data breaches are real."
She added that while the news was surprising it shows that ‘people factors’ should be part of GDPR-compliance procedures.
“It is somewhat surprising that Morrisons lost on vicarious liability, given that the person who released the data has been convicted of a criminal offence. However, the decision underlines that data controllers need to consider not only technical security, but organisational and people factors in their GDPR compliance too."
Susan Hall, an intellectual property lawyer at Clarke Willmott, agreed that the decision was surprising and believes Morrisons was not to blame.
“This is a bewildering judgment. The first instance decision was in many respects shocking; with the judge himself acknowledging that Morrisons had done nothing wrong. The data was leaked by a disgruntled employee who was subsequently jailed for his actions."
She added that employers would now be worried about finding themselves in a similar situation.
"The verdict in the High Court effectively achieved the former employee’s purpose of punishing Morrisons by making it liable for potentially millions of pounds in compensation, through no fault of its own," said Hall. "That it has been upheld by the Court of Appeal will have employers up and down the country panicking as there is very little they can do to guard against a similar situation.”