Employer responsible for malicious data breaches banner

News and Insight

Home / News and Insight / Legal News / Employer responsible for malicious data breaches

Employer responsible for malicious data breaches

Supermarket chain Morrisons was recently held liable for the actions of an employee who deliberately caused a massive data breach - despite being able to show it had effective data protection controls in place.

Information including the names, addresses, bank account and salary details of almost 100,000 staff, was posted on a file sharing website. The culprit was a disgruntled senior IT auditor who harboured a grudge because of disciplinary action.

More than 5,000 of the affected workers brought a group civil action against Morrisons. The supermarket chain now faces a potentially huge and expensive compensation pay out, after a Court of Appeal judgment demonstrating that employers can be responsible for data leaks even where malice is involved.

Payroll data

The data breach happened in 2013 when auditor Andrew Skelton was asked to transfer payroll data to Morrisons' external auditor. Instead, he copied the data on to a personal USB stick and posted the details on to a file-sharing website.

Within a few hours of discovering what Mr Skelton had done, Morrisons had taken steps to take down the information and informed the police.

Mr Skelton was arrested and charged with fraud under the UK Computer Misuse Act 1990 and section 55 of the English Data Protection Act 1998 (DPA) and sentenced to eight years in prison.

Disclosure at home

The supermarket argued that it could not be held vicariously liable in the group civil action because the actual disclosure of information was done by "Mr Skelton at his home, using his own computer, on a Sunday, several weeks after he had downloaded the data at work onto his personal USB stick."

The Court disagreed. It found that Mr Skelton's actions were "within the field of activities assigned to him by Morrisons" and the supermarket was thus held to be vicariously responsible for the serious data breach.

It also noted Mr Skelton's motivation was to take revenge on his employer and acknowledged the huge implications and burden on 'innocent employers' that the finding of vicarious liability could bring.

'Insure against such catastrophes'

When giving its ruling, the Court of Appeal sent a direct message to employers to 'get insurance' as a way of limiting their exposure to risk from the actions of employees with a vendetta against them.

It advised companies to 'insure against such catastrophes' and against 'losses caused by dishonest or malicious employees'.

What next?

Vicarious liability is a developing rule of law under which a business can be held strictly liable for the wrongdoing of others if there is a sufficiently close relationship and it is fair to hold the business responsible.

Although Morrisons is to appeal the decision to the Supreme Court, the case is undoubtedly significant. It stresses how important it is for all employers to ensure they have appropriate insurance, processes and policies in place with regard to data protection breaches.

  • To read more about how to make sure you have GDPR-compliant Data Protection Policy please click here.

For help and guidance about this area of the law, please contact Wards Solicitors' Business Employment team.