A landmark legal decision has determined that Morrisons is responsible for a data leak, in which the personal details of around 100,000 of its employees were exposed by a disgruntled member of staff.
Back in 2014, a senior auditor for Morrisons leaked payroll data, including employee names, addresses, bank account details and salaries. A group of around 5,000 members of staff affected by the breach have been trying to claim compensation for the upset and distress caused by the incident, saying that Morrisons was responsible for the breach of their personal details.
Last week, Morrisons lost its appeal against those employees’ claims. The Court of Appeal determined that Morrisons was responsible - as employer - for the actions of its employee, even though those actions were unauthorised and fraudulent.
This decision is significant for a couple of reasons:
Class Action - this is one of the first successful class actions under data protection laws, against a large, high-profile company. The action has the potential to grow even further as more employees affected by the breach may come forward, given the success in both the High Court and Court of Appeal.
This should remind businesses that it is not just the Information Commissioner’s Office and regulatory fines that they should be wary of, but those individuals actually affected by the breach. As this breach occurred under the old law - the Data Protection Act 1998 - the maximum fine would be £500,000 but Morrisons’ total bill could end up being a lot higher than that.
Vicarious Liability - this claim is based on the fraudulent, illegal actions of an employee and not anything Morrisons institutionally did or failed to do. It has even been acknowledged that the company’s data security and processes were satisfactory.
This is known as ‘vicarious’ liability, whereby an employer is responsible for the actions of its employees in the course of their employment. However, this doesn’t normally apply where the employee’s actions are far beyond what would be expected or permitted in their role. Many legal experts believe this should include where an employee is guilty of a criminal offence but the Court of Appeal clearly disagrees.
This shows that, regardless of the policies and procedures in place, a business is only as reliable as the employees working for it.
Morrisons is appealing the decision, so it’s still possible that the decision will be reversed. Nevertheless, they have been seriously compromised by the actions of one employee.
So, what can we realistically do to protect ourselves in a situation like this? No business will ever be 100% fool (or rogue) proof but there are a few practical measures that will help to reduce risk and avoid incidents like this:
If you have any queries about data protection, policies or contracts, please get in touch: email firstname.lastname@example.org or call on 0117 929 5122.