Morrisons data leak: businesses leaders left waiting on liability decision for malicious employee actions

Employers are responsible for maintaining the security of employee data, such as names, addresses, bank accounts and so on – but what if a trusted member of staff deliberately and maliciously leaks this information? Should the employer be liable?

At this present time, it is impossible to determine the answer, because this is precisely what happened when a disgruntled senior auditor working for the Morrisons chain of supermarkets allegedly stole and shared financial details, including payroll data, of 100,000 of the company’s employees on the internet.

The employee in question, Andrew Skelton, is now serving an eight-year sentence, and employees have brought legal action against the supermarket chain. The question is: should an employer be held liable when an employee is malicious rather than negligent?

Morrisons have robustly defended liability for the claim, and on learning of the events, did their best to mitigate the damage.

A spokesman explained: “Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

Despite the supermarket chain surprisingly being supported by a letter from the UK’s Information Commissioner urging the Court of Appeal to find the defendant not liable, both the original High Court ruling and the Court of Appeal have thus far ruled that Morrisons are liable for the breach – and employment lawyers and business owners alike are currently awaiting the Supreme Court’s decision.

The Supreme Court heard Morrisons’ appeal last week. Barrister Jonathan Barnes told the panel:

“It’s not a case where the office cleaner finds a thumb drive, picks it up and takes the opportunity to make some use of it.”

It’s an extremely complex case that has huge ramifications for employment law.  Unfortunately, business owners and employment lawyers alike will have to wait a little longer to find out what happens next: the Supreme Court has said it will not announce its decision until next year.

Simon Thomas, Partner at Hutchinson Thomas, said:

“While an employer is liable for the negligent acts of their employees acting in the course of their employment, this case presents a challenge because the leak was an intentional and deliberate act against the employer, and thus without precedent. The ruling is likely to have massive implications for employers, who can limit access to data to a certain degree but ultimately can be left vulnerable to this type of claim should a deliberate breach occur.

“It is also of concern to employees, who want to know that their employer will protect their data and that their private information cannot be misused in any circumstance. We will all be watching the outcome of this appeal with interest.  Whatever the outcome, we predict at the very least, employers will be redrafting their data policies when the case is concluded.  If you don’t have a policy yet, or need any help to check yours is up to date with the current law, please get in touch with our employment law team.”

For more information on employment law matters, contact Simon Thomas on 01639 640164 or email