In this article we are going to explain the details of the case brought against Morrisons, what the ultimate court ruling was and what the key takeaways are.
In 2014, Andrew Skelton who was then the senior auditor for Morrisons in their head office in Bradford, leaked the payroll information of more than 100,000 Morrisons staff members. The data included salary information, names, addresses and even bank account details. He leaked the information to a series of newspapers and also posted it online.
Morrisons swiftly denied liability in the high court trial which was brought forward by 5,518 current and former staff on the 9th October 2017. The staff members asserted that Morrisons were responsible for breaches of privacy, confidence and data protection laws and wanted compensation for the ill feeling caused by the whole fiasco. The lawyers representing the employees stated that all employees should be properly compensated.
Morrisons went on to say that it was not liable either directly or indirectly for Skeltons misuse of the data, and asserted that they had already suffered serious damage, having incurred £2 million in costs relating to the data breach. However, the verdict from the high court was clear – Morrisons was legally responsible for the data leak.
This was a landmark decision from the courts, and represented the first data leak class action lawsuit in the UK. In July 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to material, and disclosing personal information. His punishment was 8 years in prison. It was later uncovered that his motive was a grudge over a previous incident where he was accused of dealing in legal highs at work.
The key takeaway from this landmark ruling was succinctly summed up by Antonis Patrikios, head of cyber-security at law firm Fieldfisher, who stated that “despite this data breach being from within their own company from a trusted employee, even when the company is the victim of criminal activity, the responsibility for keeping personal data secure and confidential still lies with the organisation that decides how the data should be used”. In short, Morrisons thought they would be off the hook as it was a rogue employee committing the crime, but no such luck.
This landmark ruling should serve as a stark wakeup call to all large organisations. Data security is an incredibly important issue, and companies will be held responsible for any employee that commits data crime that affects the company’s employees.
In an age where high ranking employees can cause untold damage by quietly leaking sensitive information, it is crucial for companies to focus on the well-being and welfare of their employees, to minimise the chances of an employee being angry or dissatisfied enough to commit such an act. Furthermore, it is clear that large companies should be investing even more money into cyber-security monitoring and reporting software and systems in order to catch cyber-crime and cyber-attacks, not just from outside the company but from within the company too.