Morrisons data leak: implications for employers

As Morrisons is granted permission to appeal its vicarious liability case, where a rogue employee leaked its employees' personal data, James Castro-Edwards examines the impact it has in light of the General Data Protection Regulation (GDPR).

It is difficult to imagine anyone working in human resources who has not heard of GDPR, or at least, the eye-watering penalties for failing to comply with its requirements.

However, ongoing litigation between the Morrisons supermarket chain and a number of its employees whose personal data was leaked online could result in a potential risk that may be of comparable concern to employers as the GDPR.

The High Court and Court of Appeal both found Morrisons to be vicariously liable for a personal data breach caused by the actions of a rogue employee. Morrisons has now been granted leave to appeal to the Supreme Court; its last opportunity to overturn the decision. Whatever the outcome of the appeal, it will have far-reaching consequences for employers.

Morrisons data leak - the background

In 2014 Morrisons found itself the victim of a data breach carried out by a disgruntled employee, who deliberately leaked the details of 100,000 staff members. Andrew Skelton, a senior internal auditor at the supermarket's Bradford head office, reportedly bore a grudge against his employer after an internal disciplinary concerning his alleged running of a personal business from Morrisons' premises.

Skelton sent information about staff salaries, bank details and national insurance numbers to several newspapers and posted the information on various data sharing websites. As a result, in July 2015, Skelton was sentenced to eight years' imprisonment.

In group litigation proceedings, 5,518 Morrisons employees and former employees (a small sample of the thousands of staff affected) brought a claim for compensation against the supermarket for breaches of the Data Protection Act 1998 (DPA), misuse of private information and/or breaches of confidence.

The claim against Morrisons was in essence based on the fact that its employees entrusted their information with their employer, who failed to keep it safe. The breach exposed the affected individuals to the risk of identity theft and potential financial loss. The claimants argued that Morrisons was primarily liable for the breach, or alternatively, liable vicariously for the acts of Mr Skelton.

The High Court, in its judgment that was reported in December 2017, dismissed the primary claims as Morrisons had not misused the personal data, nor authorised its misuse, and had appropriate measures in place that were intended to prevent misuse of personal data by Morrisons employees.

However, the court found Morrisons liable for the actions of the former employee, allowing the affected employees and ex-employees to claim compensation for distress. Morrisons appealed the High Court's decision in October 2018, and the Court of Appeal upheld the decision of the lower court, ruling that the supermarket chain was responsible for the data breach caused by Mr Skelton. Morrisons was granted permission to appeal to the Supreme Court, though a date has not been set for the appeal date.

Employer implications

The outcome of Morrisons' appeal to the Supreme Court will be of concern to employers. If the Court of Appeal's decision is upheld, it exposes employers to the risk of being found liable for the acts of rogue employees, even where their intent is to inflict maximum damage on their employer.

Businesses will need to implement appropriate vetting and monitoring processes, though such measures cannot be foolproof and must themselves be conducted in accordance with applicable data protection legislation, which is a complex balancing act. As a fall back position, employers will need to consider obtaining appropriate insurance.

Morrisons had implemented technical and organisational measures designed to protect personal data, which meant that it had met its requirements under the DPA. A deficiency was identified; however, the Information Commissioner's Office (ICO) took the decision not to pursue enforcement action. Had Morrisons been found to be lacking in its data protection compliance measures, it could potentially have faced enforcement action from the ICO, in addition to the group litigation claim from the affected employees. Morrisons is reported to have spent £2 million dealing with the breach to date.

Perhaps the biggest concern for businesses will be the potential emergence of group litigation claims for distress following a personal data breach. The principle has been established for some time that individuals can claim damages for pure distress (i.e. without needing to prove financial loss) where their personal data has been misused.

There is a concern that affected individuals (whether they are employees or customers) could bring a group claim for compensation against the organisation that has suffered a personal data breach, on the basis that the loss of their personal data caused them distress.

Each affected individual might reasonably be able to claim a few hundred pounds to cover their time, inconvenience and worry arising from their personal information being the subject of a personal data breach. While as a one-off, this may not be of particular concern to organisations. But if such a sum were to be claimed by 5,000, 100,000 or more still, this would be a very different matter.