Morrisons 'vicariously liable' for data breach; What does the decision mean for employers?
The Court of Appeal has recently upheld a judgment finding that the supermarket chain Morrisons was vicariously liable for a data leak of payroll information by a rogue employee. The case concerned an employee of Morrisons, Mr Skelton, who was an Internal Auditor and who intentionally posted the personal details of more than 100,000 employees online. The disgruntled employee was eventually criminally convicted for his actions, and was subsequently jailed for eight years as a result. It is anticipated that more than 5500 employees may seek compensation following the decision, despite no employee actually suffering any financial loss as a result of the breach.
The decision means that Morrisons were found to be liable for the criminal behaviour of the employee and is facing the prospect of having to pay out possibly millions of pounds in compensation. In this case, Morrisons acted quickly in addressing the issue when it learned of the breach, but nevertheless they were found to be responsible.
It is not surprising that employers will be concerned by this decision. The case highlights a huge area of risk for businesses on the issue of vicarious liability for data breaches. It seems it is exceptionally difficult, if not impossible, for businesses to completely protect themselves in these circumstances; if a data breach occurs within an organisation, even at the hands of a malicious employee who is intentionally trying to cause damage, the business will remain ultimately responsible.
It is difficult to know what action Morrisons could have reasonably taken to prevent the breach; it seems from the decision that someone who is intent on causing harm will be free to do so. The message to be taken from the decision is that even if an organisation is the victim of criminal conduct, it retains ultimate responsibility for keeping personal data secure. As such, every practical effort should be made to ensure the safety and security of personal data kept by a business, and every effort should be made to ensure that, as far as possible, a data breach cannot occur. This could include a variety of measures from training staff, to having appropriate policies in place and implementing sufficient safety and security measures to protect the data held by the business. Unfortunately, this case demonstrates that it is impossible for employers to guarantee protection from liability where there is a data breach. Morrisons has confirmed that it intends to appeal to the Supreme Court and we will await with interest any final decision on the matter. In the meantime, this highlights a very significant vulnerability for businesses and it is recommended that organisations take all reasonable steps to prevent data breaches and protect themselves from similar outcomes.
If you require advice on any of the issues above or any other area of Employment Law, please do not hesitate to contact a member of the Chattertons’ Employment Team.