The case is significant - both in terms of the number of people impacted by the data breach in the case, but also in respect to the impact of the decision on all employers.
Andrew Skelton was employed by Morrisons as an IT Auditor. In 2014, Mr Skelton disclosed Morrisons' staff payroll data onto the internet. He was found guilty of criminal offences in July 2015 and sentenced to eight year's imprisonment. As part of the criminal trial, evidence came out that Mr Skelton may have been motivated to cause Morrisons harm because of his dissatisfaction with a disciplinary sanction he had received in 2013.
It appears that, whilst performing an IT task, Mr Skelton stole personal data - the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salary - of 100,000 Morrisons employees and posted it online.
5,518 of those employees pursued claims in the High Court for compensation against Morrisons, alleging breach of statutory duty (under the Data Protection Act 1998) and various common law claims (including the tort of misuse of private information).
Morrisons was found not to have primary liability for the employees' claims. Whilst it failed to meet its obligation under the Data Protection Act 1998 to take appropriate organisational measures to prevent unlawful disclosure or data loss, the failure could did not cause or contribute to Mr Skelton's breach, because Mr Skelton was determined to deliberately disclose the information.
The High Court went on to determine that Morrisons was vicariously liable for Mr Skelton's behaviour, on the grounds that there was a sufficient connection between Mr Skelton's actions and role as an IT auditor at Morrisons. This decision was based on four factors:
This decision means that as an employer, you are potentially liable for damage caused by an employee's unlawful data breach. This will be of concern to data controllers. Once the GDPR becomes law on 25 May 2018, fines could be up to 20 million euros or up to 4% of the organisation's total annual worldwide turnover. Morrisons is likely to appeal this decision - watch this space for further update.