Securing business data

News Article

Why Morrisons lost their data leak challenge

by Giulia Foss | 24 Oct 2018


Like many in the industry, CNS has been watching the developing personal data protection case involving Morrisons Supermarkets with interest. When looking at the potential implications of this case for the data protection industry, it is probably first worth a recap to understand how we got to this position.

The case involves a former member of staff (Andrew Skelton), who was employed as a senior auditor for Morrisons. The nature of his position gave him access to a vast amount of sensitive information relating to staff payroll and associated personal data. The legitimate access to this data as part of his job is very important to the findings by two separate courts.

Following an internal dispute Mr Skelton used his privileged access rights to download a copy of the entire Morrison payroll (around 100,000 staff) and then uploaded this information to a public website. This was obviously a clear breach of data protection legislation. Subsequently a law firm, acting on behalf of a number of employees sued Morrisons for damages resulting from the loss of the personal information – the first such class action in the UK.

The case went to court in 2017 and Morrisons lost (Mr Skelton was found guilty in 2015 and jailed for 8 years), with the judge citing vicarious liability of Morrisons for the actions of an employee (and hence compensation would be due to the staff affected). Morrisons had argued that they had taken all reasonable steps to protect the personal data of their staff and therefore could not be liable for what were the criminal actions of their former employee. The judge noted that Morrisons had fulfilled its obligations to protect the data but were nonetheless still liable. Not surprisingly, Morrisons decided to appeal the decision.

The appeal was heard this week and once again, Morrisons lost, with the judges citing the same reason, vicarious liability. Morrisons has said that it will appeal again, with the case moving to the Supreme Court.

So why, when the courts have acknowledged that Morrisons have complied with the necessary data protection regulations, have they been found liable and what are the implications for data protection?

This point is the subject of much discussion on line, but the main reason appears to come down to the interpretation of how vicarious liability is defined. In the legal world, there is a two-stage process for demonstrating vicarious liability: a relationship between the two parties and whether the activities of the second party could be considered reasonable or expected (in the context of their job).

Establishing a relationship between My Skelton and Morrisons is obvious, as he was an employee and it would appear that while his subsequent actions were criminal, the court has ruled that his access to the staff data was entirely reasonable, given his role as an internal auditor. Therefore Morrisons, is vicariously liable for his actions.

Should the Supreme Court find in favour of the staff, then this decision will have far-reaching implications for data protection processes everywhere as many businesses will rightly question how they can adequately protect themselves. It may force changes to established working practices, including limiting individual staff access to databases, the wider use of file integrity management and data loss prevention solutions.

Businesses may also turn to insurance, which would at least indemnify them against the financial loss, but this would not be cheap and many smaller firms may not be able to afford such cover.

There is certainly more to come from the case and we shall continue to watch and report on the outcomes in the coming months.

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere