Supermarket giant Morrisons has lost its appeal against a judgement that said it must compensate 100,000 victims of a data breach. Those victims are all current or former employees of the supermarket chain. The Court of Appeal rejected Morrisons appeal against the judgement. In their summing up the three judges said that Morrisons was “vicariously liable for the torts committed by Mr Skelton against the claimants.”
This case was brought by 5,518 of the victims. It’s success means that the remaining 94,000 will also be compensated.
How did Morrison’s get here?
In 2014, a senior internal auditor called Andrew Skelton was accused of dealing legal highs at work. In retaliation, Skelton sent the personal details of almost 100,000 employees to newspapers and posted them on data sharing sites. The data included information such as salaries, bank details, National Insurance Numbers and other personal details.
Morrisons spent over £2 million dealing with the breach. It provided credit protection monitoring to staff and promised no-one would lose out financially. Despite this, Morrisons faced the first class action lawsuit over a data breach in the UK. Morrisons had been awarded damages against Skelton. This meant that the lawyers representing employees claimed that they also should be compensated. Instead of asking for Skelton to pay, they claimed that Morrisons should compensate them.
Morrisons lost on the grounds that it should have done more to protect the data.
What happens next?
We will have to wait and see. Morrisons is taking this case to the UK Supreme Court. The ramifications of the judgement mean it is no longer just about Morrisons. The claim that they are ‘vicariously liable’ will send shock waves through organisations. While many will have cyber insurance it is unlikely it will cover this situation.
Morrisons failing to win the appeal will worry many companies. Andrew Skelton had lawful access to the data in order to do his job. His abuse of that access allowed him to copy and sell that data to third parties. This case raises significant questions over what an employer should do when it comes to monitoring those with access to sensitive data.
According to Simon Sharp, VP International at insider threat management specialist, ObserveIT:
“Andrew Skelton was the real bad guy when this breach occurred back in 2014 and he’s already serving an eight year sentence for his crimes. However, the Courts clearly don’t believe that Morrison’s is devoid of all responsibility. Like any business holding sensitive data, it has an obligation to do what it can to adequately protect sensitive information – in this instance, some 100,000 employee records.
“To avoid being hit with expensive and damaging compensation claims, like the one Morrison’s is now facing, businesses need to take effective steps to identify and thwart insider threats before they become a problem. The introduction of easy-to-follow policies coupled with effective monitoring technologies have the ability to stop rogue employees in their tracks. This kind of approach is particularly important when staff have access to high-value information, such as payroll details.”
What does this mean
For now, it means that a lot of organisations will be forced to spend money more closely monitoring their workforce. Some will begin to install software to closely watch what staff do. The Trades Union Council is already worried about the amount of surveillance employers already carry out against employees.
The TUC published a report in August showing that 6 in 10 workers were worried about being snooped on by employers. This case will provide employers with a reason to increase that monitoring of those employees. They will argue that if they are to be held vicariously liable for the behaviour of their employees, they need to increase monitoring to protect themselves.
How this will end is unknown. What is certain is that the Information Commissioners Office will be watching carefully. Data breaches come under its jurisdiction. With GDPR now in force, it also has the power to impose significant fines where companies are adjudged to have been negligent. Interestingly, Morrison’s was cleared of that charge but this case was brought separately.
The future for data protection just got a little more complicated.