tashka2000 - Fotolia

Morrisons found liable for data leak in landmark ruling

Court finds supermarket chain liable for data leak by a former employee, which has been hailed as a landmark ruling, but Morrisons says it will appeal

The High Court has found Morrisons supermarket chain liable for a data breach in which a former employee posted the personal data of thousands of workers online in 2014.

The case against Morrisons relates to the posting on the internet of the bank, salary and national insurance details of almost 100,000 members of staff by a former colleague with a grudge.

Andrew Skelton was jailed for eight years in July 2015 following a trial at Bradford Crown Court, which heard that he sent the information to newspapers and placed it on data-sharing websites.

Skelton, who worked as a senior internal auditor at Morrisons’ Bradford head office, had previously been suspected of dealing controlled drugs at work.

At the time, industry commentators said the breach demonstrated the seriousness of insider threats. They said organisations need to ensure they have the required processes and controls in place because spotting cyber security incidents arising from inside a company can be particularly tricky because the perpetrator may have legitimate access, as was the case with Skelton.

More than 5,000 of his former colleagues made a group claim against the retailer. Commenting on the court’s decision, Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represents the 5,518 claimants, hailed it as a landmark case.

“The High Court has ruled that Morrisons was legally responsible for the data leak,” he said. “We welcome the judgment and believe it is a landmark decision, being the first data leak class action in the UK.

“Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.”

The consequences of this data leak were serious, said McAleenan. “It created significant worry, stress and inconvenience for my clients,” he said.

“Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people.”

Read more about data protection

The judge, Mr Justice Langstaff, ruled that Morrisons was vicariously liable, although primary liability had not been established.

The ruling means that those affected by the breach can now claim compensation for the “upset and distress” caused.

When the class action was launched in October 2014, McAleenan said the case had important implications for every employee and every employer in the country.

“Whenever employers are given personal details of their staff, they have a duty to look after them,” he said. “That is especially important given that most companies now gather and manage such material digitally and, as a result, it can be accessed and distributed relatively easily if the information is not protected.”

McAleenan said Morrisons had failed to prevent a data leak that exposed thousands of its employees to the very real risk of identity theft and potential loss.

Tony Pepper, CEO of data security company Egress, said the ruling is a warning to all organisations that not only are they completely responsible for the data they hold, but they also need to control the way their employees access and handle this data.

“It is no doubt this ruling will send chills up the spines of many board members, who know that the risks of an employee leaking data are all too high,” he said. “In fact, a survey we recently ran with OnePoll showed that one in four UK workers had maliciously leaked business data, and a further 35% admitted to sending information over email by accident. That is potentially well over half of your workforce putting sensitive data at risk.”

It’s going to get tougher

As the EU General Data Protection Regulation (GDPR) compliance deadline of 25 May 2018 approaches, Pepper believes it is only going to get tougher for organisations that experience a data breach.

“Not only are the legislative penalties going to be higher, but where one class action has led, many more are likely to follow,” he said. “It is unlikely that Morrisons will remain the only company to have such action successfully taken against it for very long.

“As this breach shows, organisations cannot simply trust their staff to always do the right thing and we also know people will make mistakes. Companies need to start solving this problem by using technology to control employees’ access to sensitive data and the actions they can take with it.”

The Morrisons ruling comes just a day after a group led by consumer advocate and former executive director of consumer body Which?, Richard Lloyd, announced that it is to sue Google for £2.7bn on behalf of 5.4 million iPhone users in the first mass legal action of its kind in the UK.

Google allegedly collected personal information unlawfully by bypassing the default privacy settings on the iPhone between June 2011 and February 2012, according to the group, which calls itself Google You Owe Us.

The legal action is the latest to be based on claims that Google harvested the browsing histories of iPhone owners by using an algorithm bypassing the default privacy settings on the iPhone to block user tracking.

Peter Vicary-Smith, chief executive of Which?, said: “People have to put their trust in big companies like Google because they increasingly play a large role in our everyday lives. To have this good faith rewarded by Google taking advantage of people’s information without their consent is something that rightly must be challenged. This ​welcome ​campaign should empower consumers by bringing the issue into the spotlight and enabling those affected to rightly seek collective compensation.”

In a statement, Morrisons said that although a former employee had used his position to steal data about colleagues, he had been found guilty for his crimes and the judge found that Morrisons was not at fault in the way it protected employees’ data.

“[The judge] did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues,” the company said. “Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.

“The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible, so we will be appealing this judgment.”

Read more on Privacy and data protection