The Court of Appeal has ruled that Morrisons is liable for a data breach which saw thousands of its employees’ details posted online by a disgruntled ex-employee, Mr Skelton.
The judgment has come as a shock to businesses after the Court of Appeal found the supermarket liable for the actions of its employee in this case. Mr Skelton posted the names, addresses, bank account details, national insurance numbers and salaries online. Following a criminal trial he received a custodial sentence of eight years. In the civil trial, the Court of Appeal considered the risks faced by the affected employees, in that they could easily have had money taken from their bank accounts. If such a situation had arisen, their only claim would have been against Mr Skelton.
HR teams should take note of the difficulty employers will face to avoid vicarious liability for the acts of their employees, even when those acts are criminal in nature. If the acts have sufficient connection to employment, i.e. they are so closely connected, it may be found to be fair and just to find the employer liable. In this case, more than 5,000 Morrisons employees affected are seeking compensation (although it is questionable whether they have incurred any loss themselves). Although HR teams may have taken on large projects to ensure their businesses are GDPR compliant when it comes to dealing with employee personal data, this case shows that that may not be enough. Businesses will also need to review IT systems to ensure they are not vulnerable to disgruntled ex-employees. For Morrisons it is difficult to see what more it could have done. The Court of Appeal’s only advice was to encourage businesses to insure against such claims. Morrisons has already said it will appeal the decision to the Supreme Court, refuting that it should be held responsible for its ex-employees’ criminal acts. The judgment can be found here: https://www.bailii.org/ew/cases/EWCA/Civ/2018/2339.html