Employers may be liable for confidential data leaks caused by current or former employees, after the High Court found retailer Morrisons vicariously liable for the actions of a worker who exposed 100,000 colleagues’ personal information to the public.
The supermarket had denied liability for the actions of Andrew Skelton, a senior internal auditor at its Bradford headquarters, who stole information including the salaries, birth dates and bank details of vast swathes of its workforce in 2014. He then leaked the information via data sharing websites and shared it with several newspapers.
The day after the leak took place, Morrisons informed the affected employees of the stolen data and said it had been taken offline. More than 5,500 employees brought a claim against the supermarket for allowing their data to be stolen. They argued that the retailer, which had been awarded £170,000 in compensation against Skelton, should compensate his individual victims.
In the UK’s first data protection class action, the High Court last week found that the data theft exposed employees to the risk of identity theft and potential financial loss, and said the company was responsible for breaches of privacy, confidence and data protection laws. Any compensation to the employees who brought the case will be decided at a later date.
Justice James Langstaff, who presided over the case, found that Morrisons had provided “adequate and appropriate controls” and did not know or ought to have known that Skelton bore a grudge against the company and posed a threat. He said: “It was a criminal act that was not Morrisons’ doing, which was not facilitated by Morrisons.”
But the judge held that the supermarket was liable as a secondary party for the wrongs of which Skelton himself “was undoubtedly guilty”, partly because he was, to a greater or lesser degree, under the control of his employer. The Data Protection Act does not impose primary liability upon Morrisons, which was not proved to be at fault by breaking any of the data protection principles.
The ruling means a further 94,000 people affected can also claim compensation.
Skelton was charged with fraud and offences under the Computer Misuse Act and the Data Protection Act in November 2014 by the Crown Prosecution Service, before appearing at Bradford Magistrates' Court in December 2014, where he once again denied the allegations.
The jury in his original trial heard that he had leaked the information in anger after receiving an official warning about using Morrisons' post room to send personal packages, including to sell legal highs, and found him guilty of three charges of fraud at Bradford Crown Court in July 2015. Skelton also attempted to conceal his actions by setting up a fake email account, designed to implicate a colleague for the crime.
The court also found Skelton guilty of fraud by abuse of position, unauthorised access to data with the intent of committing an offence and disclosing personal data. He was jailed for eight years.
Alison Deighton, partner and head of the data protection and privacy team at law firm TLT, said the ruling in the civil case was a “landmark decision in privacy law” that posed a significant threat for any organisation that suffered a significant data breach.
She advised companies affected by a data breach to prepare for compensation claims, as well as regulatory fines, and said they should review their information security procedures and consider how well they were protecting data from both internal and external threats. "Even if the compensation sums in this case end up being relatively small, they will be significant when they are multiplied by the large number of employees affected,” she said.
A Morrisons spokesperson added: “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and colleagues.
“The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes – to harm the company. We believe we should not be held responsible so we will be appealing this judgment.”