Morrisons Data Breach: Leak on Aisle 9

What’s Going On Here?

Morrisons has been found liable for a serious data breach which was deliberately leaked by an unhappy employee at the company.


What Does This Mean?

In 2014, Andrew Skelton, an internal auditor in the company, leaked the personal data of around 100,000 employees, including their names, addresses, bank account details and salaries. He was given an 8 year prison sentence for this. Since then, over 5,000 employees have joined together demanding compensation from Morrisons for the breach of their data. 


Why Should Firms Care?

In December last year, the High Court decided that Morrisons was liable for the breach. Since then, Morrisons appealed the decision arguing that it had done everything in its power to protect its employees’ data. But this week, the Court of Appeals has rejected Morrisons’ appeal, confirming that the supermarket is vicariously liable for the actions of Mr. Skelton. Interestingly though, the Court did acknowledge that Morrisons had done as much as it reasonably could do to prevent the misuse of data and was complying with all of the new GDPR guidelines (you can read our guide on GDPR here). 

This result has drawn criticism from some commentators as they think that it will “open the floodgates” if a company that has followed all the rules can still be found liable. Jonathan Maude, partner at law firm Vedder Price, argues that “this decision goes against 100 years of jurisprudence” as employers shouldn’t be held responsible if their employees have behaved unreasonably. Ultimately, Mr. Skelton’s actions were as a result of being unhappy at work, making Morrisons the intended victim in the breach. But the Court said that Morrisons could have taken even more steps to protect the data (even though they didn’t go into detail as to how).

This outcome has got companies worried and lawyers are agreeing that they should be. Simply following the data regulations has been shown not to be good enough to avoid liability. Toni Vitale, a lawyer at Winkworth Sherwood, is advising her clients to identify any unusual behaviour in their staff and query it. “Background checks, monitoring and spot checks are all permissible in the UK if employees are told it is happening,” she says. Law firms must be aware that even the most data conscientious clients can be exposed to enormous financial liabilities through the actions of their employees. Clients should be advised to revisit their recruitment procedures, their data protection policies and their insurance position to ensure that they are adequately protected in such a situation. 

Morrisons are planning to appeal this decision to the Supreme Court. But this case has already proven that the law is not on the employer’s side when it comes to data protection and good data practices just aren’t good enough

Report written by Idin S.

If you're interested in writing for Littlelaw, click here for more information