Morrisons indirectly liable for data leak

Posted: 6th December 2017

Data SecurityCan employers be held liable for the criminal actions of rogue workers who disclose colleagues' personal data on the Internet?

In an important test case arising from a huge data leak from the personnel files of Morrisons, the High Court has answered that question in the affirmative.

The case concerned trusted IT specialist, Andrew Skelton, who worked for Morrisons but bore a grudge against it after receiving a disciplinary.

He copied the personal details – including names, addresses, dates of birth, telephone numbers, bank details and salaries – of almost 100,000 of his co-workers from the supermarket’s personnel files and placed them on a file sharing website.

Morrisons was tipped off about the leak after a CD containing a copy of the data was sent to three newspapers. Deeply concerned that the leak might expose its staff to fraudulent ‘phishing’ or identity theft, Morrisons took swift and effective steps to remove the data from the web. The perpetrator was in due course identified and, after he was convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA), he was jailed for eight years.

Lawyers representing more than 5,500 of the employees lodged damages claims against it, alleging that it was both directly and indirectly liable for Mr Skelton's misdeeds. The supermarket chain was alleged to have breached its strict duties under the DPA to protect its employees’ personal data. Other claims of misuse of personal data and breach of confidence were also pursued.

Ruling on the claims, the Court noted that any system that permits human access to data involves inevitable risks. Morrisons had internal checks in place and had taken appropriate steps to protect the data by limiting access to a few trusted employees.

There was no way that Morrisons could have known of Mr Skelton's grudge and there had been no failure to provide adequate and proper controls. Morrisons had not been obliged to routinely monitor employees’ internet access and its sole failing was that it did not have an organised, or failsafe, system in place for the deletion of data stored on individual workers' computers.

The supermarket chain was nevertheless found indirectly - or vicariously - liable for Mr Skelton's criminal acts. It had deliberately entrusted him with its payroll data and he had been put in a position where he could handle it and disclose it to third parties. There was a sufficient connection between his job and his wrongful conduct to make it just for Morrisons to be held so liable.

The Court’s ruling opened the way for the affected employees to seek compensation. However, in granting the supermarket chain permission to challenge its decision before the Court of Appeal, the Court noted that Morrisons was itself the primary target and victim of the embittered IT specialist’s actions. The result of the case could be viewed as the Court acting as an accessory in the furtherance of his criminal objectives.