In a case that has set a new precedent in data breach law, UK supermarket giant Morrisons has been found liable by a High Court for the actions of a former staff member who purposely leaked payroll data for thousands of employees. The decision was reached as part of a class-action lawsuit brought against Morrisons by over 5000 current and past employees of the company, and was in relation to an incident that took place in 2004 – where an employee posted 100,000 employees’ personal details on the internet. This personal information included bank details, salary, insurance information, phone numbers and addresses. Lawyers have refereed to this ruling as a “landmark” decision, as it was the first class-action suit filed over a data breach in the UK, and ruled that Morrisons was liable to owe compensation to the victims despite the judge ruling that Morrisons had not been at fault in any way. However, this case is very much in keeping with current trends in regulation to fiercely protect user data, and the high expectations being placed to companies to ensure this.
The High Court decided in a landmark ruling that Morrisons must compensate the victims of the data breach, despite not being at fault
The data was leaked by a disgruntled employee, Andrew Skelton, who is believed to have held a grudge against the company after an incident where he was accused of dealing “legal highs” at work. In the orginal data leak case, back in 2014, Skelton was found guilty in a fraud court and sentenced to eight years in jail for securing unauthorised access to computer material and disclosing personal data – both online and to newspapers.
Lawyers in the class action suit argued that since the supermarket chain had been awarded £170,000 in compensation against Skelton, the other victims of the breach should also be liable for compensation for upset and distress caused. The judge ruled that Morrisons, despite not being directly at fault, was “legally responsible” for the data leak and for compensating those affected. Morrisons argued that since it was not at fault, it wasn’t liable for criminal misuse of data by an employee, and intends to appeal the high court’s decision.
This is a game-changer for companies, according to cyber security expert Antonis Patrikios. “What is key to remember is that despite this breach being from within their own company from a trusted employee, even when the company is the victim of criminal activity, the responsibility for keeping personal data secure and confidential still lies with the organisation that decides how the data should be used, such as Morrisons in this case”, according to Patrikios.
Meanwhile, a spokesperson for Morrisons said “The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged”.
The case is significant as it is the first such class action suit in the UK, and will set a precedent in law going forward, which other companies will be very wary of. This will encourage other victims of data breaches to partake in class action suits against the companies holding their data, as well as encouraging law firms to start specialising in this type of class action suit. The amount of compensation that Morrisons would be required to pay is to be decided only after the appeal concludes.
If adhered to correctly, the GDPR could actually help companies protect against such data leaks, even ones where a malicious insider was to blame. Increased security measures, tighter access control procedures, shorter data retention and only collecting fit-for-purpose data are all facets of the regulation which would help companies reduce their risk of a data breach, as well as reducing the amount of data that a company holds which could potentially be leaked. For those companies who are struggling with GDPR compliance, we would advise speaking to an expert as soon as possible to determine the scope of work needed to meet the regulation’s May 2018 deadline.