Employers Will Be Liable For Deliberate Data Breaches By Employees

The potential financial and reputational damage from data breaches has come into sharp focus with the recent Court of Appeal case in England involving the Morrisons supermarket chain. A stark reminder of the data protection issue came in the court's finding that Morrisons were liable for the unlawful leaking of payroll information of all of its UK employees by an aggrieved employee.

While Morrisons will now appeal the decision of the Court of Appeal to the Supreme Court, it is nonetheless the case that in light of this decision, companies should ensure they have rigorous policies to control sensitive information, as well as put sufficient insurance in place to guard against liability when it comes to personal information and data protection.

Background

An IT worker at the business went through a disciplinary process in July 2013 for misuse of the company's postal facilities. He received a formal verbal warning and it is understood that this left him with a grudge against his employers.

The company's auditors, KPMG, requested a number of categories of data in order to complete their annual audit. One of the categories was payroll information. The IT worker in question was given an encrypted memory stick with the payroll data of all Morrisons staff. He then downloaded this information on to his personal laptop and then copied it onto his own personal memory stick.

The IT worker uploaded the data, containing the personal details of 99,998 employees onto a file sharing website. The information remained on the website for two months until he anonymously contacted a number of local newspapers to notify them of the breach. The papers reported the issue to Morrisons who had the information removed on the same day.

The IT worker was subsequently convicted of fraud and offences in terms of the Computer Misuse Act 1990 and the Data Protection Act 1998. He was sentenced to a term of eight years imprisonment.

Group Litigation Order

Following the discovery of the data breach, a Group Litigation Order was made allowing 5,518 of Morrisons employees to pursue a claim for damages against the business for misuse of private information, breach of confidence and breach of statutory duty owed under the Data Protection Act.

In the first of the court hearings, the judge dismissed the claims that Morrisons had primary liability for the leak of the information. This was on the basis that they did not deliberately misuse or authorise or carelessly permit the misuse...