Morrisons, the Supermarket chain, has launched an appeal against a High Court ruling last year which left them owing thousands of employees compensation for their part in a disgruntled employee’s data breach.
The High Court ruled last year in the first ever data breach class action in the UK, that Morrisons were vicariously liable when an employee, Andrew Skelton, whilst acting in the course of his employment, accessed and leaked payroll data of more than 100,000 employees. The leaked data included personal data such as names, addresses, salaries and bank account details.
The outcome of the appeal will make for interesting reading, with Morrisons contending that they should not be held vicariously responsible for criminal conduct on the part of Andrew Skelton. The broader issue for companies, particularly under the new GDPR, is what technical and organisational measures are they required to put in place to protect from cyber-attacks but also internal leaks. Internal leaks come in the form of unintended disclosure as well as malicious disclosure of personal data. It is critical that companies have adequate safeguards and protections in place and are also seen to be implementing them.
For employers, the prospect of being vicariously liable for an employee data breach is a daunting one – particularly with the increased penalties under the GDPR. The ruling last year placed increasing and perhaps harsh pressures on employers to ensure that effective security systems, protections and employee monitoring are in place to prevent employee data breaches, a task for those with a high number of employees which can be both onerous and far reaching. Perhaps the most daunting prospect for employers is that there doesn’t appear to have been much Morrisons could have done to avoid the breach.
Morrisons data breach sounds warning on vicarious liability