Morrisons didn’t know it, but in 2014 it had a huge problem. The UK’s fourth largest supermarket chain, with over 500 stores, had a disgruntled member of staff who had access to sensitive data, such as the payroll information of 100,000 current and former employees.
Senior internal auditor Andrew Skelton had been accused of using the company’s postal facilities to deal in legal highs, and in retaliation he posted the details of 100,000 staff’s salaries, bank details, and National Insurance numbers online, and sent a copy to newspapers.
At the time, Morrisons promised workers that none of them would be left out of pocket as a result of the incident, and police were called in to investigate.
In 2015, Skelton was jailed for eight years for the data leak, but thousands of current and former members of Morrisons’ staff took it upon themselves to sue the supermarket chain for the upset and distress they had suffered. Instead of demanding that Skelton stump up the cash, employees that Morrisons should compensate them.
Morrisons argued that it could not be held responsible for the actions of a rogue employee and the criminal misuse of its data, but in a Court of Appeal this week three judges ruled that Morrisons was “vicariously liable,” and should have done more to protect the data.
In its ruling, the Court of Appeal said “the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded” by the UK’s Data Protection Act.
Such a judgement of “vicarious liability”, of course, could set something of a legal precedent that could send shivers done the spines of other companies who might discover their data has been leaked by rogue members of staff in the future. After all, the workers have been granted authorisation to access the data in the course of their job.
Should firms put more vigorous monitoring systems in place to monitor staff who have access to highly-sensitive data, such as payroll information and customer databases? That feels like the best defence, but is likely to incur the wrath of those who feel that surveillance is already playing too large a role in the workplace.
In the court’s opinion, the solution is simply for companies to insure against such damaging incidents:
“The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.”
Morrisons has issued a statement, saying that it plans to take its case to the Supreme Court for an appeal:
“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.”
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”
“We believe we should not be held responsible so that's why we will now appeal to the Supreme Court.”
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.
View all postsDon’t miss out on exclusive content and exciting announcements!