‘Landmark’ ruling in data protection case

A recent High Court ruling was described as a ‘landmark’ case after Morrisons was found liable for the actions of a former employee. The judgement means thousand’s of workers can launch a claim for compensation against the supermarket chain.

In the UK’s first data protection class action, employees sued Morrisons following the release of their personal data online, including salaries, bank account details and national insurance numbers. The personal details of nearly 100,000 staff were leaked by a former employee, Andrew Skelton, in 2014. Skelton was subsequently jailed for 8 years for his actions.

The judge found that Morrisons had “adequate and appropriate controls” in place, and was not aware that Andrew Skelton had a grudge against the company following earlier internal disciplinary proceedings.

“It was a criminal act which was not Morrisons’ doing, which was not facilitated by Morrisons, nor authorised by it,” said Justice Langstaff, who also said that Morrisons had not broken any of the data protection principles.

The judge ruled however, that the supermarket had vicarious, or secondary, liability and was therefore legally responsible for the data leak. The case has implications for all businesses, as they could be held responsible for the actions of staff acting illegally, and be subject to compensation claims.

Nick McAleenan, of JMW Solicitors, who was acting on behalf of the Morrison employees said, “The High Court has ruled that Morrisons was legally responsible for the data leak. We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.”

A spokesperson for Morrisons said, “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues”.

The judge granted Morrisons leave to appeal the case.

This case has significant ramifications for businesses and highlights the potential of any data breach not just a breach as a result of hacker activity or indeed negligence but a wilful act of an employee; to cause significant reputational harm and create exposure for litigation.

For more information as to how Cyber Insurance can assist and mitigate the consequences of a data breach please speak to a member of your Stackhouse Poland team.