Supermarket Morrisons has been held “vicariously liable” for a former employee leaking personal information of some 100,000 members of staff, in a ruling that has sent shivers up the spine of CIOs and CISOs around the country.
It lost its appeal yesterday in a landmark High Court ruling following the UK’s first data protection class action, made by 5,518 claimants. The Bradford-based chain has vowed to appeal against the Court of Appeal’s ruling.
The outcome has significant implications for all data controllers and data processors as Morrisons was held vicariously liable even though, overall, it had discharged its own obligations as required under the Data Protection Act 1998 and common law.
Morrisons Data Case: What’s the Background?
The case was launched after workers’ personal details were leaked online by IT employee Andrew Skelton in 2014.
Skelton, who was jailed for eight years in July 2015 for his actions, leaked details including salaries, dates of birth and more.
If the supermarket continues to lose its appeals, it will have to pay substantial compensation to 5,518 claimants.
The Ruling: No Primary Liability, But…
The initial landmark ruling in January this year found that Morrisons had no “primary liability”. Vicarious liability depended on whether a sufficient connection existed between the actions of Skelton and the “course of [his] employment.”
The court found, as law firm Allen & Overy emphasises, that there was a sufficient connection because:
an unbroken thread linked Skelton’s employment to the disclosure as a “seamless and continuous sequence of events”;
> Morrisons deliberately entrusted Skelton with the data during the course of his employment; and
> Morrisons tasked Skelton with receiving, storing and disclosing the data therefore, his actions (albeit unlawful) were closely related to the task he was given.
“A Serious Warning” for Business Leaders
Oz Alashe, CEO of cybersecurity awareness and training platform, CybSafe, told Computer Business Review in an emailed statement: “This failed appeal serves as a serious warning for business leaders across the country.”
He added: “Organisations now have a far greater duty of care to protect users and prevent the unlawful activities of disgruntled staff. They must be far more careful about what information staff have access to across every part of the business. For very large organisations in particular, this ruling drastically complicates their requirements to guard against the risk of data security breaches.”
Lesley Holmes, Data Protection Officer at MHR, added: “This case highlights the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused.”