A High Court judge has found Morrisons supermarket liable for a 2014 data leak where an employee leaked Morrisons staff payroll information. The employee was found guilty for the breach and is currently serving an 8 year prison sentence.
However, some of the employees impacted by the breach (i.e. their details were leaked) took the supermarket to court to claim damages for threat of identity theft and potential financial loss. Whilst Morrisons argued they couldn’t be held liable for the rogue behaviour of an employee, Justice Langstaff, found Morrisons vicariously liable (i.e. liable for the employee’s actions) because the actions of the employee were aimed at harming Morrisons directly:
“The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.”
This case comes at an interesting time when it comes to data protection compliance, what with the General Data Protection Regulation (GDPR) around the corner. There’s so much fear-mongering going on about the 4% of global turnover or €20m fines (that will probably never be that big anyway) that it’s often forgotten that under UK law there are a number of legal remedies including the potential for data subjects to sue for damages.
This Morrisons case is a land mark case in the UK as it’s the first case of this kind where an employer has been found liable for damages caused by an employee’s actions (rather than a “traditional” hack). It will be interesting to see how this pans out – Morrisons say they will be appealing – and whether this leads to further “victim” led cases; although the key with this case appears to be that it was because of the issue between the employee and employer that lead to the employee’s behaviour and hence the vicarious liability.