Employers right to be worried about liability for staff actions
You may be aware that Morrisons recently lost its appeal against a high court ruling regarding a data breach that led to thousands of employees’ details being posted online. This has serious implications for all employers.
Morrisons, the supermarket chain, had a claim brought against it by its workers after an employee, Andrew Skelton, stole personal data – including names, addresses, salaries and bank details – of almost 100,000 staff. Morrisons lost the original claim. It then took the case to the Court of Appeal but lost that too. It upheld the finding that Morrisons was vicariously liable for the torts committed by Mr Skelton against the [workers]. This is even thought the judges acknowledged that the employee in question had taken the action specifically to injure his employer.
Regular readers may remember that back in 2014, Skelton, then a senior internal auditor at Morrisons’ headquarters, leaked the payroll data, posting it online and sending it to newspapers. He was jailed for eight years in 2015 after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.
More than 5,000 of the affected employees brought a case, seeking compensation for distress and arguing the breach exposed them to possible identity theft and financial loss. The company argued it could not be held liable for the criminal misuse of its data.
The Morrisons case is the first data leak class action in the UK. Some experts have said that the case would be concerning for employers as it potentially places a far greater liability on them for the actions of their employees. It implies that if a close connection can be found between an employee's role and their conduct, that is likely to be enough to satisfy the requirements for vicarious liability.
This case is also significant in reminding employers of the importance of data protection in light of the GDPR and how strong control processes need to be in place even in highly trusted parts of the business. Taking action to ensure that data is protected from misuse by disgruntled employees is going to be even more important to businesses. For example, reconsidering a BYOD (Bring your own device) policy may be a positive step forward to ensure that employees do not have access to business data on their own equipment.
A spokesperson for Morrisons said the supermarket had “not been blamed by the courts for the way it protected colleagues' data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
They said that they had worked hard to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, they said that they were not aware that anybody suffered any direct financial loss.
Morrisons said it planned to appeal the decision to the Supreme Court. Therefore, any changes to this situation will be reported here.
Posted on 01 Nov 2018