The supermarket chain, Morrisons is taking a legal battle to the Court of Appeal following a ruling by the High Court that thousands of its employees could pursue a compensation claim against the retailer following the disclosure of its employee’s personal information back in 2014.
Andrew Skelton, then a senior internal auditor at Morrisons' headquarters, leaked the payroll data of more than 100,000 employees, including their names, addresses, bank account details and salaries.
Morrisons' appeal has significant implications for other organisations, who could be found liable to pay compensation for the acts of rogue employees.
Commenting on the case, Stuart Crook, solicitor and a specialist in data privacy and information law said:
“From a legal perspective, the Morrisons claimants have a strong case for compensation because, irrespective of where this breach originated, the law on vicarious liability is geared towards ensuring that a weaker party does not lose out when faced with a stronger, wealthier opponent – even if primary responsibility might be said to rest elsewhere. This principle applies in claims for breach of the data protection and, therefore, as it stands, organisations can be found vicariously liable in their failure to ensure the security and confidentiality of personal data.
“The Morrisons case serves as another example to highlight why businesses must have a 360 degree view of their IT systems. Many are so consumed in trying to stop external attacks, they are blind to the potential threat within.
The introduction of GDPR has undoubtedly forced the hand of business to sit up and take notice of those blind spots, but it remains to be seen just how diligent businesses, of all sizes, have actually been in making those changes.”