Published on April 2nd, 2020 📆 | 1750 Views ⚑
0Morrisons Wins Insider Breach Ruling but Liability Concerns Persist
Businesses have been urged to tighten their data protection technologies, policies and procedures after a UK Supreme Court ruling yesterday left the door open for employers to be sued by their staff for insider breaches.
The case involved supermarket chain Morrisons, which suffered such a breach in 2014 when former internal auditor Andrew Skelton published online the details of nearly 100,000 employees â included NI numbers, birth dates and bank account data.
Some 5000 of these employees then brought civil proceedings against the firm, arguing it was liable for the misuse of their data. Both the High Court and the Court of Appeal ruled that, although the supermarket chain was not primarily to blame, as its security safeguards were sound, it was âvicariously liableâ for Skeltonâs actions.
âIn simple terms Morrisons had to underwrite Skeltonâs actions as an employee,â explained legal firm Cordery Compliance. âThis was in part because they had selected Skelton for the trusted position of being the middle-man in transferring the [HR data] to KPMG.â
However, the Supreme Court has now ruled in Morrisonsâ favor: in effect saying that in this case the employer cannot be held vicariously liable as the employee (Skelton) was pursuing a vendetta.
This is a victory for the supermarket, and several legal experts have argued that employers will also be breathing a sigh of relief that they wonât be held liable in similar circumstances.
Yet firms arenât completely off the hook, according to Claire Greaney, senior associate at Charles Russell Speechlys.
âIt wasnât all good news for businesses today. The court did not say there could never be vicarious liability for the conduct of employees in the world of data protection. If the door to vicarious liability was left ajar by the Court of Appeal, the Supreme Court has confirmed that it is staying open,â she argued.
âIn the GDPR era of mandatory notification businesses will need to look carefully at the measures they take to mitigate these risks, including taking out data insurance to protect themselves.â
Cordery Compliance speculated that the case may also have gone differently had the subject of primary liability been considered.
âUnder GDPR there is a very strong emphasis on organizations having âtechnical and organizational measuresâ (TOMs) in place to ensure GDPR compliance, including with regard to keeping data secure,â it argued.
âWhilst the law was similar pre-GDPR it could be argued that employers should be more conscious of TOMs like access rights and data loss prevention now that GDPR is in force. With this in mind, had the Morrisons case been decided under GDPR might there have been a different outcome as regards primary liability and the personal data that left Morrisonsâ systems?â
Itâs also true that companies can still be held liable for the actions of their staff in a data breach context, if those employees are not acting outside the course of their employment: i.e. accidental leaks and negligence.
Gloss