Continuing legal disputes between Morrisons supermarket chain and employees caught up in a data leak could have major risk implications for employers under the General Data Protection Regulation.
Morrisons was ruled to be vicariously liable for a data breach caused by the actions of a former employee, and has now been allowed to appeal to the Supreme Court in a last-ditch attempt to overturn the decision.
The initial incident occurred in 2014, when a dissatisfied employee, Andrew Skelton, leaked the personal details of 100,000 staff online. It was reported that the former senior internal auditor at the supermarket’s Bradford head office held a grudge against bosses following internal disciplinary procedures.
Data on staff salaries, financial information and national insurance numbers were sent to newspapers and posted online by Skelton, who was eventually sentenced to eight years in jail in July 2015.
Courts heard how 5,518 Morrisons employees brought a claim for compensation against the company under the Data Protection Act 1998, citing misuse of private information and/or breaches of confidence. In short, Morrisons was accused of not keeping private data safe, and therefore responsible for the consequent breach and the risk of financial loss or identify theft to which it exposed its victims.
Morrisons was eventually found liable for the actions of Andrew Skelton, which had affected employees and ex-employees, enough for those involved to claim for compensation for distress. The Court of Appeal upheld the ruling, but Morrisons has now been granted leave to appeal to the Supreme Court.
If upheld in the Supreme Court, employers may be at enhanced risk of being held responsible for the acts of rogue employees in future, even if those employees seek to abuse their position in order to cause as much damage as possible.
In light of such a ruling, organisations will have to strengthen vetting and monitoring processes to cover their backs. Although no measures can amount to a guarantee that such behaviour will not be repeated, organisations will have to conduct themselves in line with applicable data protection laws. Employers may also have to think about sourcing appropriate insurance should the worst happen.
In Morrisons’ favour, measures had been put in place to protect personal data to satisfy DPA standards, but while shortcomings had been identified by the ICO, no enforcement action was taken. Inadequate compliance standards could have led to further regulator trouble for the supermarket, which has spent £2 million dealing with the breach since it broke five years ago.
The most significant concern for organisations in future may be the potential for a group of employees to launch a class-action lawsuit for distress following a data breach.