In 2014 an employee of Morrisons supermarkets posted payroll information (including names, addresses, bank accounts and salaries) of 99,988 colleagues online and sent the same to newspapers. Mr Skelton had the right to access this information and had taken the data to get revenge on the firm after disciplinary action. Given the scale and nature of the information, he was subsequently jailed for eight years.
In the first UK class action of its kind for a data breach, over 5,000 employees have taken action against Morrisons in the High Court. The Court has now decided that Morrisons was not directly liable, as they had not acted in breach of the Data Protection Act and could not have done anything to prevent the breach. However even though the rogue employee’s actions were intended to cause Morrisons harm, the Court held that they were vicariously liable as he was their employee and the role he had been given was sufficiently close to the unlawful act. Importantly, the Judge also ruled that staff did not need to prove any financial loss to claim compensation.
The decision is likely to alarm employers, who even with the best systems in the world, would be liable if one of their employees decides to misuse data. Liability for breaches will come to the fore when the General Data Protection Regulation come into force next year, as employers will have to notify supervisory authorities (in the UK the ICO) within 72 hours of a breach. A failure to notify in itself could lead to fines of up to €10 million or 2% of annual turnover (whichever is the greater) and the maximum fine for data protection breaches generally will be €20 million or 4% of annual turnover.
One comfort is that Morrisons was given leave to appeal due to the Judge’s unease with the decision. We will keep you posted on any further developments.