In a case reported widely in the media, the High Court has ruled that supermarket chain Morrisons is vicariously liable for the actions of a rogue IT Auditor.
The history of the case dates back to 12th January 2014. A file containing the personal data of almost 100,000 Morrisons employees was posted to a file sharing website. Links to the data dump were posted on various other websites. Two months later, CDs containing copies of the data were received by three newspapers, from an anonymous “concerned person”. Two of the newspapers alerted Morrisons to the data breach. Within hours of notification of the breach, the chain’s management had taken steps to remove the data from the web.
A short investigation revealed the data was taken from their proprietary HR management system. Very few users were capable of accessing this system and extracting data, and on 19th March 2014, Andrew Skelton, a Senior IT Auditor and then current Morrisons employee was arrested, subsequently charged with fraud, and imprisoned for 8 years.
Why did he do it?
The apparent reason for the data disclosure is very interesting.
Skelton had a sideline selling legal slimming drugs online. Occasionally, packages would be sent through Morrisons internal post room for convenience. There wasn’t anything necessarily improper about this, but one day a package broke, spilling a white powder which of course caused alarm for the post room. The police were called, and Skelton was subsequently suspended and disciplined. The Judge believed that these events caused Skelton to harbour a grudge, and take revenge on the company.
5,518 employees made claims against Morrisons for breach of the Data Protection Act, misuse of private information, and breach of confidence. The claims were made against the company rather than the guilty individual on the basis that they had primary liability for their own acts and omissions, and secondary (vicarious) liability for the actions of an employee harming co-workers.
The Judge hearing the case, Mr Justice Langstaff held that Morrisons were not at fault for breaking the principles of the Data Protection Act, and had no primary liability for misuse of their employees’ private information, nor breach of confidence.
However, he upheld the claim for vicarious liability – i.e. they were responsible as an entity for the actions of one of their employees.
Morrisons were given the right to appeal due to Skelton’s intention being to harm the company.
What the decision means for employers
As we approach the commencement of enforcement of the new General Data Protection Regulations, the case highlights the need to have careful controls in place to prevent unauthorised disclosure of personal information.
Even though Morrisons as an organisation were not negligent in the way they stored and processed data, the ruling means companies are liable for the consequence of malicious actions carried out by employees.
Whilst it is not possible to completely stop an employee determined to cause damage to a companies financial position or reputation, robust policies, record keeping, and auditing can help detect malicious activities before they can do serious damage, or at the very least, speed up investigations into any issues that arise.
When GDPR is enforced from May 2018, demonstrating that your company is doing everything it can to stop or mitigate negligent disclosure of personal will be vital.