Morrisons has been found liable for damages arising from the actions of a rogue employee who deliberately disclosed payroll records relating to almost 100,000 staff members, in a case which has broad implications for all employers.
The facts and findings: how the leak went pear-shaped
The employee in question (Andrew Skelton) was an internal IT auditor who had been given a verbal warning for misconduct relating to a post-room incident. Apparently in retaliation, the employee uploaded payroll data relating to 99,998 Morrisons staff members – including their names, addresses, phone numbers, bank account details and salaries – to a file sharing site and notified three newspapers. Unsurprisingly, he was sentenced to 8 years imprisonment as a result of his actions.
However, a group of 5,518 of the employees affected pursued claims against Morrisons in the High Court for damages in connection with the data breach. On Friday 1 December, the High Court confirmed that Morrisons is vicariously liable for Skelton's actions which amounted to breaches of the Data Protection Act 1998 (the DPA) and instances of misuse of private information and breach of confidentiality. The conclusion was reached despite the Court's findings that:
• Morrisons itself had not committed any breach of the DPA which would give rise to damages; and
• it was effectively a target and victim of Skelton's actions.
Firstly, this is the first class action brought by employees for data breaches. It is very likely to set a trend – which means that where breaches occur employers may well face a triple threat of:
(1) regulatory action, which from May 2018 could include fines of up to 4% of global annual turnover or €20m;
(2) class actions (or individual actions) like these from affected data subjects; and
(3) significant reputational damage – which should not be overlooked and could make attracting and retaining talent and retaining the trust of consumers much more difficult.
The case also confirms that where a rogue employee commits a serious breach the employer will almost certainly be vicariously liable even where it is the target of any action, although Morrisons will appeal this and possibly other points.
What should employers do?
Data breaches such as these have always been more likely to result from an individual's error than a systems issue – and it is difficult to completely prevent issues arising from such PICNIC-ing (Problems In Chair, Not In Computer), especially where individuals are motivated to cause damage. However, as Antonis Patrikios, a partner in Fieldfisher's Privacy team told the Independent: "The key questions for organisations are: are we taking appropriate steps to protect the data and are we appropriately prepared to respond to incidents that put the data at risk".
Employers can and should already be taking proactive steps to gear up for the General Data Protection Regulation (which comes into force in May 2018), including in order to protect and prepare for data breaches. In light of this case, it is particularly important that those include:
• updating policies and rules relating to the acceptable use of systems and the processing of data by staff – and carrying out mandatory training;
• having and communicating a clear breach response plan and testing it through drills. As reported here, certain breaches must be reported within 72 hours;
• carefully considering the controls in place around access, download and sharing rights for employees, and in relation to the deletion of data. The High Court was critical of Morrisons' failure to properly consider the deletion of the data; and
• rolling out or enhancing content reviewing / compliance software (enabling scanning of emails and data transfers) to protect against unauthorised disclosures. Of course, the use of such software is likely to amount to employee monitoring and will have its own implications under the GDPR.
Fieldfisher's market leading privacy and employment teams are trusted by many clients to help them get these kinds of issues right. If you would like to discuss the various ways in which we can help then do get in touch.