Morrisons data leak: a cautionary tale for employers

In December 2017 the UK High Court held UK supermarket chain Morrisons to be vicariously liable for the actions of a disgruntled ex-employee, Andrew Skelton, who had deliberately disclosed the personal data of just under 100,000 Morrisons employees. This finding was even though Morrisons was found not to have breached its own data protection duties.

Morrisons’ appeal of that decision was heard towards the end of 2018. The Court of Appeal dismissed the appeal, commenting that the employee’s motivation to damage the company was irrelevant (and even though the Court’s decision itself increased that damage), and holding that there was sufficient connection between the employee’s action and his employment to make Morrisons vicariously liable for the breach.

Given the level of damages involved (to at least some 5,518 employees who were claimants in the case), and the important legal principles at stake, Morrisons has indicated that it will seek to appeal to the Supreme Court. At the time of writing, that appeal has not yet been heard.

In the event of a data breach, the court will likely examine whether there were technical and organisational measures in place which could have prevented it. Employers therefore need to ensure they can demonstrate they are complying with all aspects of the GDPR. In this case, Morrisons did nothing wrong itself, but was liable nonetheless because the employee was held to have acted in the course of his employment.

The court commented that employers should look to insure themselves against such eventualities, so it is important to review the extent of your cover. It is also doubtful whether insurance cover can be enforceable in respect of regulatory fines.
Unfortunately no amount of insurance cover can protect against the reputational damage involved, so organisations should also review their crisis response planning.

We can help your organisation meet its data protection requirements.