Sun Apr 05 2020
Morrisons was facing compensation claims from thousands of former and current employees over a 2014 data breach
Last Wednesday (01/04/2020), the Supreme Court ruled that the supermarket group, Wm Morrisons, couldn’t be held accountable for a 2014 data breach after a former employee posted personal details of over 100,00 members of staff online.
Their victory in the Supreme Court ends a six-year legal struggle for the supermarket chain in which they were fighting possible compensation claims from thousands of current and former employees over the breach.
Back in 2017 Morrisons was originally held to be accountable by the High Court after Andrew Skelton, a former IT auditor working for Morrisons, published employee data online.
In a separate, criminal prosecution he was convicted of this and sentenced to eight years in jail.
Morrisons had given him authority in 2013 to send confidential payroll information for all their staff to external auditors in the exact same way he had previously done the year prior.
However, whilst he did send the information to the auditors, he also created a ‘personal’ copy which he eventually uploaded to a website and also sent anonymously to three separate newspapers.
Upon learning of the breach Morrisons immediately took steps to remove their employee’s data from the website as well as notifying the Police.
Even so, a large group of Morrison employees later filed a law suit against the group, stating it was in breach of it’s statutory duty under the Data Protection Act by misusing private details of it’s employees and also breaching their confidentiality.
After the High Court found in favour of the employees Morrisons appealed to the Court of Appeal, which also agreed with the High Courts 2018 ruling.
Morrisons then brought the case to the Supreme Court which has now overturned all previous rulings…
The circumstances in which Skelton committed wrongs against the claimants were not such as to result in the imposition of vicarious liability upon his employer
He continued to say that an employer couldn’t be held vicariously liable if the employee at fault (in this case Skelton) wasn’t engaged in the activity of expanding his employer’s business and in fact was actively pursuing a personnel agenda to harm his employer.
In their official ruling after the judgement was read Morrisons said:
We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we've seen absolutely no evidence of anyone suffering any direct financial loss.
If you're worried about Data Breaches within your organisation cloudThing will be happy to discuss how you can protect yourself
Sun Apr 05 2020