Morrisons data breach: Could the supermarket have done more?

This week's Court of Appeal decision that Morrisons was vicariously liable for a serious data breach by a disgruntled employee has got employers worried. Jo Faragher explains why.

The supermarket chain faces a huge potential payout to employees whose personal data was compromised when Andrew Skelton, an internal auditor, posted the names, bank account details, salaries and national insurance details of nearly 100,000 employees online.

Skelton was given eight years in prison for fraud, securing unauthorised access to computer material and disclosing personal data at a criminal trial in 2015. Then, last year, the High Court ruled that Morrisons was vicariously liable for the breach and should compensate those staff. More than 5,000 employees who were affected have been involved in bringing a case against the supermarket.

But Morrisons has just lost its appeal against the initial decision, with three Court of Appeal judges claiming that the company's arguments that it could have done nothing to prevent the breach "unconvincing".

"Suppose he had misused the data so as to steal a large sum of money from one employee's bank account," the judgment read. "If Morrisons' arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally."

Observers have called the Court of Appeal decision "bewildering" and "a salutary tale", warning that it could open the floodgates for increasing numbers of employers being held to account for the behaviour of their employees.

What could it have done?

For its part, Morrisons has argued that it could not be held liable for the criminal misuse of its data, but could it have done more to protect its employees? The advent of GDPR earlier this year, as well as high profile data breaches at Facebook and elsewhere mean our personal data and how it is stored and used is now at the centre of public consciousness.

"There is an argument that Morrisons should have had adequate arrangements for ensuring the deletion of data such as the payroll data briefly stored on Skelton's computer, and arguably the point at which Mr Skelton obtained the employee data exposed a vulnerability in Morrisons processes, but the courts haven't given much steer as to how this should have been dealt with in practice," says Stephanie Creed, a senior associate in the employment, pensions and mobility team at Taylor Wessing.

"That said, if an employee is convicted in respect of his actions relating to a data breach and given a significant jail term, and the employer is still found vicariously liable for the data breach, this suggests that the protective strength of policies may not be that strong and employers are right to be concerned."

Lesley Holmes, data protection officer at software company MHR, adds that "the original decision looked at the relationship between the company and Andrew Skelton and traced a golden thread of accountability throughout the collection, use and disclosure of the data for both parties.

"The case highlights the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused."

Colin Tankard, managing director of cyber-security consultancy Digital Pathways, argues that while companies can rarely legislate for when an employee might "go rogue" in the way that Skelton did, closer observation of unusual activities and listening to employees' concerns could mitigate risk.

"It's hard to know whether Morrisons was aware there was any unusual behaviour, but you'll frequently find that if someone is going to take action because they're disgruntled it pays to watch them more closely," he says.

What happened?

In 2013, Andrew Skelton, a senior IT internal auditor at Morrisons, received a formal verbal warning for using company posting facilities for private purposes. He was also accused of dealing legal highs at work.

He then requested payroll data in order to undertake the annual audit. A member of the HR team copied the data onto an encrypted USB stick, which Skelton then downloaded onto his laptop and copied onto a personal USB.

Skelton then took the data from the USB stick - personal details for 99,998 employees - and posted them onto a file sharing website. He later sent a CD containing a copy of the data to three newspapers, just as the company was about to announce its annual financial results.

Morrisons' management were alerted to the disclosure, taking steps within a few hours to get the data taken down. Skelton was arrested and convicted of fraud, unauthorised access to computer material and disclosing personal data, and sentenced to eight years in prison.

"HR can sometimes be a barrier to closer monitoring of employees because they're concerned about breaching privacy or confidence, but pulling together bits and pieces from different sources can alert them to potential risks. Perhaps you've logged that someone's started coming in at weekends or is frequently working late. Why is someone emailing out 50MB of data? Has this person recently had a bad performance review?"

Tankard adds that more stringent controls on bring your own device policies, external emails and the use of USB sticks - particularly for those who have frequent access to sensitive data, could have prevented inappropriate access to personal details.

"It's about balance. If someone's in a sensitive role they shouldn't have access to the USB port on their PC - that's not a breach of their privacy, they shouldn't need to have access in the first place," he explains.

Proximity to role

One of the arguments presented by the judges in upholding the initial decision was that Skelton's actions related so closely to his role, and this was a clear factor in determining the employer's liability.

We have seen this in other recent decisions - not least another case involving Morrisons in 2016, when a petrol station attendant attacked a customer and the company was held liable for the attack in the Supreme Court. More recently, the Court of Appeal held a recruitment company vicariously liable for an assault on another member of staff by a director at its Christmas drinks.

As Toni Vitale, head of regulation, data and information at law firm Winckworth Sherwood, points out: "The judge commented that when the employee received the data, he was acting as an employee, and the chain of events from then until disclosure was unbroken. Morrisons had entrusted him with the data, and took the risk that they might be wrong in placing trust in him."

Vitale advocates a tougher approach to data protection coupled with fostering a culture where unusual behaviour can be discussed without fear of retaliation. "Background checks, monitoring and spot checks are all permissible in the UK if there is sufficient transparency and employees are told it is happening," she says.

"The key thing is to treat your staff well and do not just monitor them at the outset. Many of these cases start from a disgruntled employee. Employers should invest in speak-up programmes to allow staff to informally and formally raise grievances and these should be handled fairly.

"Also, a one-off background check is often only undertaken before employment commences. Consider making these standard for all promotions or where new roles and responsibilities are offered."

Worrying trend?

The Information Commissioner's Office (ICO), which has handed out millions of pounds in fines to companies that have suffered data breaches in the past, said it investigated the incident in 2014 and "determined that no formal action was necessary".

A spokesperson added: "We are aware of the outcome of Morrisons' appeal as well as their intention to appeal to the Supreme Court, and will consider the findings once the legal process is complete."

But Jonathan Maude, partner at law firm Vedder Price, believes this latest decision demonstrates a worrying tide towards employers being held liable for an employee's actions simply because of the connection to their role, regardless of what that individual's motives might have been.

"Historically there's been an exemption for employers where someone has behaved unreasonably, and this dates right back to the early 1900s. This decision goes against more than 100 years of jurisprudence," he says. "The key thing the judges looked at was whether there was a sufficiently close connection between the act and the job - as they had done in the petrol station attendant case before."

"This makes it very difficult for employers to legislate against, especially with regard to modern day working environments where we trust employees to work remotely, use a company's equipment and send emails externally."

The Court of Appeal judges made no apologies about the potential for claims against the employer where staff were seeking recourse for what happened.

The judgment said: "The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result."

Yet Maude points out how this approach places employers in a difficult position - if employers being held liable for employee misconduct becomes more common, what insurer is going to cover that eventuality?

"At the end of the day the law is not on the employer's side," he adds. "All an employer can do is impress on employees the need to behave reasonably and in accordance with the duties they've been assigned. The legal requirement to establish a 'sufficient connection' between the act and the role seems pretty broad and could end up with the employer on the hook."