Morrisons liable for employee's data breach

In a worrying case for employers the High Court has recently found in Various Claimants v WM Morrison Supermarkets (WMMS), that WMMS are vicariously liable for the criminal actions of a rogue employee, who disclosed personal information of around 100,000 colleagues, in breach of the Data Protection Act (DPA). It was found that although the breach was outside of his working hours and was from his personal computer, there was still a sufficient connection between his employment and the wrongful conduct, to hold WMMS liable.

The employee (S) in question was a senior IT internal auditor employed by WMMS and was involved in assisting external auditors by providing payroll data. However, in July 2013 he was subject to disciplinary proceedings for an unrelated event, which he subsequently received a warning for. In a bid to cause harm to WMMS for issuing him with a warning, S downloaded the personal details of around 100,000 employees and later shared this online. Consequently, he was convicted of offences under the Computer Misuse Act 1990 and the DPA.

As a result of the breach 5,518 employees of WMMS sought to claim compensation for a breach of statutory duty under the DPA, in addition to a breach of confidence and the misuse of private information.

It was found that there was no onus on WMMS to monitor the search history of S, as this could amount to a breach of his right to privacy and family life, under the Human Rights Act. In addition, routinely monitoring all internet searches of employees would be disproportionately expensive.

However, as for vicarious liability, the issue was whether S’s actions had been in the course of his employment. It was found that S was entrusted with the data and he hadn’t obtained it outside of his course of employment, he both received and copied it as part of his role. Accordingly, the court held that the breach was part of a seamless and continuing sequence of events, resulting in a sufficient connection with his employment and the wrongful disclosure.

In a bid to prevent a potential floodgate of claims, Morrisons have been granted the right to appeal on the basis that the employee’s sole aim had been to cause loss to his employer.

Best practice would be to ensure that your contracts and policies clearly state for what purpose your staff have access to personal data for, specifically stating what they can and cannot do with it. In addition, you should ensure that all data is securely held and explore putting systems in place to prevent or detect where people are downloading materials from your computer systems. Further to this, all paper files should be held in a secure filing system. This is of particular importance, especially with the introduction of GDPR in May 2018 and the significant penalties, employers could face if they are found to be liable for a breach.

If you require more information or would like advice on how to safeguard your business from a breach, then please don’t hesitate to contact a member of our team.