Morrisons loses appeal against data breach liability ruling

The Court of Appeal has upheld a December 2017 High Court ruling against Morrisons that held the supermarket chain liable for a  data breach in which a former employee posted the personal data of thousands of workers online in 2014.

The Court of Appeal ruled that Morrisons must pay compensation to 100,000 employees who were victims of the data breach by disgruntled employee Andrew Skelton, a senior internal auditor at the supermarket’s headquarters who deliberately leaked payroll information.

Skelton was jailed for eight years in July 2015 following a trial at Bradford Crown Court, which heard that he sent the information to newspapers and placed it on data-sharing websites.

In 2014, more than 5,000 of his former colleagues made a group claim against the retailer, which the High Court ruled was legally responsible for the data leak

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represents the 5,518 claimants, said they had held one of the UK’s biggest organisations to account and won.

“This latest judgment provides reassurance to the many millions of people in this country whose own data is held by their employer,” he said.

However, Morrisons responded to the ruling by saying it now plans to take its appeal to the Supreme Court.

“A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he has been found guilty for his crimes,” the retailer said in a statement.

“Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.

“We believe we should not be held responsible, so that is why we will now appeal to the Supreme Court.”

Representatives of the cyber security industry said the Appeal Court’s ruling underlines the fact that organisations are ultimately responsible for the personal data they hold.

Simon Sharp, vice-president international at insider threat management firm ObserveIT, said the courts clearly do not believe Morrisons is devoid of all responsibility.

“Like any business holding sensitive data, it has an obligation to do what it can to adequately protect sensitive information – in this instance, some 100,000 employee records,” he said.
 
“To avoid being hit with expensive and damaging compensation claims like the one Morrisons is now facing, businesses need to take effective steps to identify and thwart insider threats before they become a problem.

“The introduction of easy-to-follow policies, coupled with effective monitoring technologies, have the ability to stop rogue employees in their tracks. This kind of approach is particularly important when staff have access to high-value information, such as payroll details.”

Corin Imai, senior security adviser at DomainTools, said that although data breaches usually involve the compromise of customer data, the effects of employee data breaches can be just as severe.

“The fact that payroll details were leaked is particularly concerning, as these are exactly the kind of details that malicious actors could use to commit identity or financial fraud,” she said.

Oz Alashe, CEO of cyber security awareness and training platform CybSafe, said the latest ruling makes it clear that even when a company is the victim of criminal activity from within its own organisation, ultimate responsibility for keeping personal data secure rests on its shoulders.

“This failed appeal serves as a serious warning for business leaders across the country,” he said. “Organisations now have a far greater duty of care to protect users and prevent the unlawful activities of disgruntled staff.

“They must be far more careful about what information staff have access to across every part of the business. For very large organisations, in particular, this ruling drastically complicates their requirements to guard against the risk of data security breaches.”

Harry Abrams, employment solicitor at law firm Seddons, said the ruling is a “stark reminder” to employers that they can be liable for the illegal acts of their staff. 

“This adds to recent rulings that have widened the scope of employers’ vicarious liability to now catch acts done by employees that are ‘job related’ and we are seeing a diminution of an employer’s ability to rely on the traditional defence that the employee was on a frolic of their own,” he said.