Morrisons held liable for rogue employee data leak
In a landmark case in the High Court, supermarket chain Morrisons has been held liable for the actions of a former disgruntled employee who disclosed the personal data of 100,000 of his colleagues on a file sharing website. The personal data included general biographic information about Morrisons’ employees as well as national insurance numbers, bank account details and salaries – the kind of data that would be very useful in the hands of cybercriminals. The former employee was tried for a number of offences in connection with the disclosure in 2015 and was sentenced to 8 years in prison.
The case was brought by some 5,500 employees in the first group data protection case of its kind. The claimants argued that Morrisons was directly liable for the rogue employee’s actions or, alternatively, Morrisons was ‘vicariously liable’ for his actions. Vicarious liability means that a party is responsible for the acts of another person, even if they were not directly at fault.
The High Court concluded that:
- Morrison’s did not fail in its obligations as a data controller in continuing to provide the former employee with access to the data following conclusion of the disciplinary procedure: there was nothing to suggest that the “rap on the knuckles” given to him would lead him to defraud Morrisons and he needed access to the data to perform his role effectively;
- When the former employee made a copy of the data and disclosed it, he did so as a data controller in his own right and not in his capacity as an employee of Morrisons;
- Morrisons was therefore not directly liable for the former employee’s actions;
- Despite Morrison’s arguments that there was no room for vicarious liability under the Data Protection Act 1998, Morrisons was vicariously liable for the former employee’s actions.
As such, following the Vidal-Hall v. Google case in 2015, each of the 5,500 employees that brought the claim against Morrisons would be entitled to damages for distress regardless of whether they suffered any financial loss as a result of the disclosure of their personal data. The judge did not, however, making any decision regarding the amount of such damages which will be the subject of a separate hearing.
Given the complexity of the matter and the potential consequences for data controllers, the judge granted Morrisons leave to appeal the conclusion he reached regarding vicarious liability. Interestingly in the final paragraph of the judgment, the judge noted that his conclusion had the potential to further the former employee’s aims in seeking revenge against Morrisons.
Unfortunately, the number of cases involving disgruntled employees disclosing personal data relating to colleagues and/or customers is on the rise. As such, this judgment is likely to cause data controllers that have been the victims of rogue employees some sleepless nights. While an employer’s immediate reaction might be to implement monitoring of employees’ computers to prevent such disclosures from happening (there are tools that can monitor employees’ internet searches, identify when ‘unsigned devices’ have been connected to computers or when certain datasets copied or exported), the judge noted that the use of such tools will often be impractical not to mention intrusive (following the recent case of Barbulescu v. Romania).
Morrisons has confirmed that it will appeal the judgment to the Court of Appeal.