Good evening

  • Morrisons Held Vicariously Liable for Rogue Employee's Data Leak

    5th February 2018

    In a workplace context, an employer can be found liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment – i.e. where there is sufficient connection between the employee's position and the wrongful conduct to make it right for the employer to be held responsible.

    In the first class action in the UK arising from a data leak (Various Claimants v WM Morrisons Supermarket plc), the High Court has ruled that an employer can be held liable for the criminal actions of a rogue employee in breach of the Data Protection Act 1998 (DPA).

    The data in question was leaked by an IT specialist who worked for Morrisons as a senior internal auditor. He bore a grudge against the supermarket chain after an unrelated incident that had resulted in disciplinary action.

    He had access to the company's personnel files as employees' payroll data was needed for an audit. He later copied details – including names, addresses, dates of birth, telephone numbers, bank details and salaries – of almost 100,000 of his fellow workers and placed them on a file-sharing website.

    Morrisons learned of the leak after a CD containing a copy of the data was sent to three newspapers. Concerned that the leak might expose its staff to fraudulent 'phishing' or identity theft, the company took swift and effective steps to remove the data from the Internet. The perpetrator was subsequently identified and convicted of offences under the Computer Misuse Act 1990 and the DPA. He was given an eight-year prison sentence.

    More than 5,500 of the affected employees lodged damages claims against Morrisons, alleging that it was both directly and indirectly liable for the IT specialist's actions.

    The company was alleged to have breached its strict duties under the DPA to protect its employees' personal data. Other claims of misuse of personal data and breach of confidence were also pursued.

    The Court noted that any system that permits human access to data involves inevitable risks. Morrisons had in place internal checks and had taken appropriate steps to protect the data by limiting access to a few trusted employees. There was no way it could have known of the IT specialist's intentions and there had been no failure to provide adequate and proper controls. The company's sole failing was that it did not have an organised or failsafe system in place for the deletion of data stored on individual workers' computers.

    Nevertheless, the Court found Morrisons indirectly – or vicariously – liable for the IT specialist's criminal acts. It had deliberately entrusted him with its payroll data and he had been put in a position where he could handle it and disclose it to third parties. There was a sufficient connection between his job and his wrongful conduct to make it just for the chain to be held liable.

    The Court's ruling has opened the way for the claimants to seek compensation. However, in granting Morrisons permission to challenge its decision before the Court of Appeal, the Court noted that the company was itself the primary target and victim of the embittered IT specialist's actions. The result of the case could be viewed as the Court acting as a 'witting instrument of the criminal' in the furtherance of his criminal objectives.

    Caroline Mitchell, Employment Solicitor says "The General Data Protection Regulation, which comes into effect on 25 May 2018, imposes additional data protection obligations on employers. One significant change is the introduction of the 'accountability principle', whereby data controllers will have a duty to keep records to demonstrate how they comply with the data protection principles – for example by documenting the decisions taken about a processing activity. This will include proving that access to data is restricted to only those personnel necessary and that data is deleted when it is no longer needed. We can assist you in preparing for the changes this will entail."

    For information and advice contact us in Devizes on 01380 722311.

    Back to articles