by Justin Govier, Partner at IBB Solicitors
The Court of Appeal has upheld a High Court ruling finding supermarket chain Morrisons legally liable for a data leak caused by a former employee which affected around 100,000 members of staff.
The case marks the first class action suit for a data breach in the UK and saw over 5,500 Morrisons staff seeking damages from their employer after auditor Andrew Skelton leaked their personal information, including salary and bank details, online and to newspapers.
Three senior judges concluded that Morrisons was “vicariously liable” for the offence, for which Mr. Skelton was jailed for eight years in 2015.
The food retailer could now be liable to pay compensation worth millions of pounds to its affected employees and has said that it will now apply for a further appeal to be heard in the Supreme Court. As the first ruling of its kind, the case is expected to set a significant precedent for companies across England and Wales. Employers may now be liable to pay vast sums to people affected by data breaches caused by individual staff negligence or overall failures of the corporation.
A legal representative for the claimants welcomed the verdict, stating: "The judgment is a wake-up call for business. People care about what happens to their personal information.”
They maintained that it was only fair to “expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims.”
Ruling could impact all UK employers
Many lawyers have been quick to criticise the ruling as a dangerous precedent which opens the floodgates for companies to be forced to pay unforeseeable costs in compensation for data breaches beyond their control.
One critic pointed out that the verdict “effectively achieved” Skelton’s “purpose of punishing Morrisons by making them liable for potentially millions…in compensation, through no fault of their own.”
Skelton deliberately leaked the data in act of revenge against the supermarket group after he was disciplined for operating an ecommerce business through the company’s mail room at its Bradford headquarters.
Experts underline that there is “very little [companies] can do to guard against a similar situation,” since such acts may not be mere negligence but wilfully and maliciously planned to hurt the firm.
Judges in the ruling admitted that finding employers vicariously liable for any data breaches caused by staff could result in firms being ordered to pay “potentially ruinous amounts” in compensation. However, they maintained that companies could protect themselves by “insur[ing] against losses caused by dishonest and malicious employees.”
Retailer seeks further appeal to Supreme Court
Employers are already advised to insure against their liability to pay damages for harm caused by employee negligence.
Under the doctrine of vicarious liability, employers are legally responsible for the acts and omissions of their staff, provided the staff member was acting in the course of employment. Beyond taking out insurance, companies should also take all steps as far as is reasonable to ensure that their systems and strategies to protect personal data are secure.
Thorough processes should be in place for deleting personal data no longer needed, and those in a position to access sensitive information should be monitored closely. The bottom line in many cases however appears to be that companies will be held liable for the harm caused by employees wherever necessary to ensure that victims receive adequate compensation.
A spokesperson for Morrisons emphasised that the chain had “not been blamed by the courts for the way it protected colleagues’ data.”
The spokesperson added that the retailer was “not aware that anybody suffered any direct financial loss” and believed it “should not be held responsible” for the criminal actions” of a former employee which “targeted at the company.”
Employment law advice for employers Find out how we can protect your business and your reputation from the acts and omissions of employees by calling us on 03456 381381.