In 2014, the personal details of nearly 100,000 of Morrisons staff including salaries, bank account details and addresses were stolen and published online by former employee Andrew Skelton. Mr Skelton was jailed for eight years in 2015 after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.
Although an interesting criminal case, more importantly for employers was that it led to the first data leak class action in the UK which was heard in the High Court last week. Thousands of staff sued Morrisons for the leak.
Morrisons were not found to be primarily liable for the actions of Mr Skelton. The judge found that the supermarket chain had provided adequate and appropriate controls and did not know that Mr Skelton bore a grudge against the company and posed a threat. However, they were found to be vicariously liable for the actions of their former employee. A separate hearing will be held on how much Morrisons will need to pay the Claimants in this case.
This will have a large impact on businesses as it will dramatically increase their level of responsibility for the unlawful activities of disgruntled employees not acting in the course of their employment. However, it should also serve as a reminder to employers about the safety of the personal information they hold. Employees provide this on the basis that their employer will keep it secure and arguably this requires limiting other employees’ access to that information.
If you have any questions about the storage of your employees’ information and your duties under data protection regulations, they should get in touch with their dedicated employment solicitor today.