Experts Reaction On Morrisons Not Liable For 2014 Data Breach, Says Supreme Court

As reported by Computer Weekly, Supermarket chain Morrisons has succeeded in its appeal to the Supreme Court against judgments that held it liable for an insider data breach caused by a disgruntled employee. The breach occurred in 2014 when payroll data on thousands of Morrisons employees was leaked on a file-sharing website by Andrew Skelton, a member of its internal audit team. A number of the affected employees subsequently brought proceedings against Morrisons personally and on the basis of what is termed vicarious liability for the acts of the employee.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Ashley Hurst
Ashley Hurst , Partner and International Head
InfoSec Expert
April 2, 2020 6:54 pm

This is a great result for employers. The Supreme Court found that both the High Court and the Court of Appeal had misunderstood existing Supreme Court authority, particularly by finding that the employee’s motive in posting payroll data on the internet was not relevant to the question of whether Morrisons should be held liable for this unlawful act. In applying the correct test, the Supreme Court found that although the employee had been given the task of collating and transmitting payroll data to external auditors, by taking his own copy of the data and posting it on the internet, the employee was pursuing a personal vendetta against Morrisons and that such actions could not fairly and properly be regarded as done in the course of his employment.

This case concerned the previous data protection regime and not the GDPR. It remains the case that even where employers have taken appropriate steps to protect personal data under the GDPR, they are still at risk of being held liable for the acts of its employees unless the employee can be said to be acting outside the course of their employment.

Whilst most data breaches are caused by attacks from outsiders or inadvertent acts from employees, deliberate leaks and theft of data by employees are quite common. And so this judgment will come as welcome relief to employers in light of the increased risks of data liability that they face post-GDPR.

Last edited 2 years ago by Ashley Hurst
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
April 2, 2020 6:52 pm

Insider threats are usually the ones forgotten about, yet they can ultimately cause the most damage to an organisation. Some insider threats can be very difficult to detect, not to mention prove, as it can be easy for employees to cover their actions,. Furthermore, some then go unnoticed for years. Mitigating such risk comes down to cleverly drawn up training programs and a shift in culture, which takes time.

Companies need to realise the potential threat that this poses doesn’t stop at former employees taking data onto a new company. It can be far worse than that, with data falling into the wrong hands and hefty fines that comes along with this.

Last edited 2 years ago by Jake Moore
2
0
Would love your thoughts, please comment.x
()
x