Following a recent ruling by the High Court against WM Morrisons Supermarket PLC (“Morrisons”), employers may now find themselves vicariously liable for data breaches perpetrated by their employees.
In 2014, it was discovered that a file containing the pay roll data of 99,998 Morrisons’ employees had been uploaded to a file sharing website. This data included names, dates of birth, addresses, national insurance numbers, and details of employees’ salaries and bank accounts.
Following an investigation, it was revealed that one of Morrisons’ employees, Andrew Skelton – a senior IT auditor – had copied the data which he was supposed to send to KPMG, Morrisons’ external auditors, to a personal USB drive. Mr Skelton then uploaded this data to a file-sharing website.
Mr Skelton’s actions were reportedly the result of a grudge that he held against his employer following an earlier, unrelated disciplinary incident. As a result, Mr Skelton was subsequently arrested and sentenced to eight years in prison pursuant to the Computer Misuse Act 1990 and the Data Protection Act 1998 (the “DPA”).
Now, in what is the first-ever group action case involving a data breach, 5,518 of the affected employees have bought a group class action against Morrisons for breach of its statutory duty under the DPA and at common law.
The claim was made on the basis that Morrisons was (i) directly liable for breaching its statutory duty; and (ii) in the alternative, vicariously liable for the breach in its capacity as Mr Skelton’s employer.
Continue Reading Morrisons found vicariously liable for a data breach committed by one of its employees