Morrisons is responsible for a data breach caused by a malicious insider, the High Court has ruled.
A class action of 5,518 employees took the supermarket to court, claiming compensation for the “upset and distress” caused by the 2014 data breach, in which Andrew Skelton, a senior internal auditor at the retailer’s Bradford office, leaked the payroll data of 99,998 employees. He sent the information, which included employees’ names, addresses, bank account details and salaries, to newspapers and also published it online.
This incident shows how complex liability can be regarding data breaches. Morrisons is both the victim – having been awarded £170,000 in compensation against Skelton – and vicariously liable.
Mr Justice Langstaff said: “I hold that the Data Protection Act (DPA) does not impose primary liability upon Morrisons,” adding that the supermarket had not been proved to be at fault by breaking any of the data protection principles, other than in one respect that did not cause loss. However, he rejected the argument that “no vicarious liability can be established”.
Nick McAleenan, of JMW Solicitors, which represented the claimants, said: “Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.”
He added: “This private information belonged to my clients. They are Morrisons checkout staff, shelf stackers, factory workers – ordinary people doing their jobs.
“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.”
This ruling is worrying news for organisations, as it’s hard to stop an employee intent on sabotage. Skelton needed access to sensitive information to carry out his job, but after being accused of dealing in legal highs at work, he decided to cause “some real damage”.
Morrisons argued that there was nothing it could have done to prevent the data breach, and that Skelton alone was liable. However, the court ruled that the supermarket entrusted the data to Skelton, and was therefore indirectly responsible.
Improve your legal position in the event of a data breach
The result of this case, the first data breach class action in the UK, has potential implications for every individual and business in the country. It comes just months before the DPA’s successor, the EU General Data Protection Regulation (GDPR) comes into effect, which gives data subjects the right to compensation for breaches of the Regulation.
Article 82.3 qualifies this, saying: “A controller or processor shall be exempt from liability […] if it proves that it is not in any way responsible for the event giving rise to the damage.” However, the stringency with which liability was determined in this case suggests that it will be very hard for organisations to prove that they are completely free from responsibility.
All organisations that handle EU residents’ personal data should be preparing for the GDPR. Failure to comply could be incredibly costly, as supervisory authorities have the power to issue strong fines and enforcement actions. When you add compensation for affected individuals, a data breach could be devastating.
Implementing the Regulation’s requirements will be a long, challenging process, but organisations that are already certified to the information security standard ISO 27001 will have a much easier job.
ISO 27001 is the international standard that describes best practice for an information security management system. It provides guidance for implementing appropriate measures to mitigate data security risks, and its recommended technical measures are in line with the requirements of the GDPR.
Certification to ISO 27001 enables organisations to demonstrate they have taken reasonable measures to protect themselves from a data breach, and improves their legal defensibility in the event of a breach.