Morrisons Pays the Price for Employee Data Leak

A landmark legal decision has determined that Morrisons is responsible for a data leak, in which the personal details of around 100,000 of its employees were exposed by a disgruntled member of staff.

Back in 2014, a senior auditor for Morrisons leaked payroll data, including employee names, addresses, bank account details and salaries. A group of around 5,000 members of staff affected by the breach have been trying to claim compensation for the upset and distress caused by the incident, saying that Morrisons was responsible for the breach of their personal details.

Last week, Morrisons lost its appeal against those employees’ claims. The Court of Appeal determined that Morrisons was responsible - as employer - for the actions of its employee, even though those actions were unauthorised and fraudulent. 

This decision is significant for a couple of reasons:

Class Action - this is one of the first successful class actions under data protection laws, against a large, high-profile company. The action has the potential to grow even further as more employees affected by the breach may come forward, given the success in both the High Court and Court of Appeal.

This should remind businesses that it is not just the Information Commissioner’s Office and regulatory fines that they should be wary of, but those individuals actually affected by the breach. As this breach occurred under the old law - the Data Protection Act 1998 - the maximum fine would be £500,000 but Morrisons’ total bill could end up being a lot higher than that.

Vicarious Liability - this claim is based on the fraudulent, illegal actions of an employee and not anything Morrisons institutionally did or failed to do. It has even been acknowledged that the company’s data security and processes were satisfactory.

This is known as ‘vicarious’ liability, whereby an employer is responsible for the actions of its employees in the course of their employment. However, this doesn’t normally apply where the employee’s actions are far beyond what would be expected or permitted in their role. Many legal experts believe this should include where an employee is guilty of a criminal offence but the Court of Appeal clearly disagrees.

This shows that, regardless of the policies and procedures in place, a business is only as reliable as the employees working for it.

Morrisons is appealing the decision, so it’s still possible that the decision will be reversed. Nevertheless, they have been seriously compromised by the actions of one employee.

So, what can we realistically do to protect ourselves in a situation like this? No business will ever be 100% fool (or rogue) proof but there are a few practical measures that will help to reduce risk and avoid incidents like this:

1. Comprehensive policies and procedures - a business will have no excuse for employee mishaps if they do not have comprehensive, easily accessible and digestible policies and procedures for their employees to follow. These should set out how the business works, what management structures, internal procedures, restrictions and obligations are in place, and set out clear consequences if there is a breach of policy and procedure.
2. Employee training - you may never be able to fully prevent an employee doing something silly or, worse, illegal. However, training and awareness remains an effective tool to instil good practice in employees and ensure they understand the importance of following rules and procedures.
3. Physical/technical measures - some employees will need access to personal or other sensitive data for their role, as Morrisons rogue employee did, but if they don’t need such access, you can reduce your risk by setting up appropriate user groups and access restrictions. Personal data, in particular, should only be accessed by those who need it for the performance of their duties. You may also have other physical or technical measures available to protect data, such as encryption, anonymisation or pseudonymisation, restrictions on the use of portable hardware or unauthorised software etc.
4. Monitoring/prevention - system monitoring can be an effective tool to detect and possibly prevent unauthorised access or attempts to access data/systems, or unusual system activity.
5. Employment measures - having appropriate management, appraisal, review processes in place, which might alert you to problems with an employee, are incredibly important, as are other employee engagement initiatives. If you are aware of any concerns about an employee, or they’re subject to disciplinary action or will be leaving the business, there may be a case for redeployment, access restrictions or closer monitoring, which may help avoid any retaliatory incidents.

If you have any queries about data protection, policies or contracts, please get in touch: email carl.spencer@roxburgh.milkins.com or call on 0117 929 5122.