Data leak by disgruntled employee - Employer liable?

On 12 January 2014, a disgruntled employee at Morrisons Supermarket, Andrew Skelton, posted online the payroll data for 99,998 employees of Morrisons. This included NI numbers, names, addresses, date of birth, gender, bank sort codes, bank account numbers, and salary. The employees affected brought a class action against Morrisons on the basis that Morrisons was ‘vicariously’ liable for the criminal actions of a rogue employee in disclosing personal information. This was despite Morrisons taking preventative steps and the employee concerned being convicted of a criminal offence.

The case has been working its way through our court system, with the latest hearing in the Court of Appeal. This case, as well as being interesting for its facts, which resemble a soap opera, does raise concerns for organisations that may have a disgruntled employee determined to do them some damage.

In this case, Mr Skelton was a senior internal auditor at Morrisons. He also had a side business in selling slimming drugs. Occasionally, he would send these products out from the Morrisons’ post room, paying the postage himself. One day, one of his parcels broke and quantities of white powder fell out. Morrisons had to ascertain whether it was a legal or illegal substance and sent it away for analysis. It turns out it was legal but Morrisons instigated a disciplinary process against Mr Skelton on the grounds that he had caused considerable concern and could have closed down the post room. He got a verbal warning.

Mr Skelton was not happy with how Morrisons dealt with this, so he plotted his revenge. As part of his job he was responsible for collating information for Morrisons’ external auditors. He therefore had access to the full staffing database. He put the staff database on a memory stick and through a series of nefarious acts designed to distance him from his crime, he posted the staff database online.

Eventually, Mr Skelton was arrested and was convicted of fraud, securing unauthorised access to computer material and disclosing of personal data. He was sentenced to 8 years.

Sadly for Morrisons, this was not the end of the saga and they have faced a class action from the employees affected. When Morrisons became aware of the data leak, they did everything right. They acted quickly and removed the data as soon as possible. They told the police and cooperated fully in finding the perpetrator; however, based on this current judgment, this wasn’t enough.

The Court of Appeal found that employers can be vicariously liable for employee’s actions even if employers have taken preventative steps and where the employee concerned was clearly acting criminally. Watch this space however – Morrisons are appealing. In the meantime however, this case does set a worrying precedent for class actions against organisations for data breaches. The general view, pending a ruling by the Supreme Court, is that is that organisations should insure against the risk; and we therefore recommend that schools review their insurance cover and keep the position under review until the outcome of the Morrisons’ appeal is known.