In October 2018 the Court of Appeal upheld the High Court ruling against Morrisons, by finding there to be sufficient connection between Andrew Skelton’s role as a senior internal auditor for the grocery chain, and his conduct in having access to sensitive employee information and disclosing it in a deliberate breach of data privacy regulations. The basis of the ruling was a vicarious liability, where employers may be held liable for damages when their employee causes personal injury or other loss to another person through their actions while at work. This civil case has been brought on behalf of the employees of Morrisons whose data had been disclosed. It is worth noting that Morrisons acted swiftly to remove the personal data posted and notified authorities regarding the breach, and was found to have had in place appropriate data protection methods and avoided regulatory action and potentially a fine.
There is particular interest in this ruling as Mr. Skelton held a grudge against Morrisons and deliberately disclosed the personal data seeking to damage his employer. Mr. Skelton was found guilty, in the Bradford Crown Court in 2015, of the criminal charges of fraud by abuse of a position of trust, unauthorised access to data with the intent of committing an offence, and disclosing personal data. He was sentenced to 8 years imprisonment.
The Supreme Court is now considering the appeal, on the 6 and 7 November 2019, of Morrison’s vicarious liability, and the extent that data protection law is definitive with regards to remedies. The claimants in the case are the employees, numbering over 5000 and who are now seeking compensation in the case. Though there is no suggestion that all of the claimants are able to demonstrate financial hardship or loss due to the breach. If the claim against Morrisons is successful in the Supreme Court, a further hearing to consider the quantum of damages for the claimants will be held, where the damages are likely to be largely based on distress associated with the data breach.
The decision from the Supreme Court will be closely attended to by many companies as it could shape the vicarious liability threshold regarding criminal or fraudulent actions commited by disgruntled employees. However, with the growing sensitivity, scrutiny and regulatory risks arising from personal data breaches (and the increasing scale of cyber attacks against companies), organisations should in any event review their internal data protection compliance, legal and IT security policies and procedures to ensure their risks are mitigated.
This blog post will be updated as events unfold.