Morrisons Loses Insider Breach Liability Appeal

Written by

Supermarket giant Morrisons has been told by the Court of Appeal that it is liable for the actions of a malicious insider who breached data on 100,000 employees, setting up a potential hefty class action pay-out.

An original High Court ruling last year said the UK chain was “vicariously liable” for the actions of former employee Andrew Skelton — a disgruntled internal auditor who published the details, which included NI numbers, birth dates and bank account data.

The firm argued at the time it was forced to pay £2m to resolve a breach that was no fault of its own.

Its lawyers subsequently argued at the Court of Appeal that the firm could not be held “vicariously liable” because the Data Protection Act 1998 — the legislation in place at the time of the incident — excludes vicarious liability.

The latest ruling could pave the way for the UK’s first data protection class action suit, with over 5000 employees seeking financial redress for the distress they suffered as a result of Skelton’s actions.

However, the Bradford-headquartered business is set to take its fight to the Supreme Court.

“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues,” a statement noted.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

Claire Greaney, an associate at law firm Charles Russell Speechlys, argued that the appeal court ruling could be cause for concern for UK organizations.

“Here you have an essentially compliant company on the receiving end of a class action it could have done little to avoid. In the GDPR era of mandatory notification this is even more concerning for businesses,” she argued.

“Businesses will need to look carefully at the measures they take to mitigate these risks, including the insurance arrangements they have in place in respect of data breaches and, of course, keep an eye out for an appeal to the Supreme Court.”

Simon Sharp, VP international at ObserveIT, claimed firms need to get smarter about spotting insider threats before they become a problem.
“The introduction of easy-to-follow policies coupled with effective monitoring technologies have the ability to stop rogue employees in their tracks,” he added. “This kind of approach is particularly important when staff have access to high-value information, such as payroll details.”

What’s hot on Infosecurity Magazine?