In July 2015, former Morrisons’ employee Andrew Skelton was jailed for fraud after leaking the payroll information of nearly 100,000 employees of the supermarket to local newspapers and data sharing websites.
Around 5,500 of the affected staff are now bringing a claim against Morrisons, asking the court award compensation for the upset and distress caused by the supermarket’s failure to keep their data safe. It is thought to be the first class action for damages caused by a data leak in the UK.
At this stage, it is not clear what basis the employees are attempting to establish liability. The employees have the option of either claiming Morrisons are liable vicariously for Mr Skelton’s fraud, or that it is directly liable for a breach of duty under the Data Protection Act 1998 (DPA).
Vicarious liability is a common law principle whereby one person can be found liable for the wrongs committed by another person. An employer can be found to be liable for the wrongs of an employee where the court finds there is a sufficiently close connection between the wrong committed by the employee and their employment. Liability can be found even if the employer itself has done nothing wrong.
Cases such as Quinn v CC Automotive Group show that where an employee commits a dishonest act a sufficiently close connection can be established where the employee has acted with the intention of furthering the employer’s interests or within the boundaries of their apparent authority. Given that Mr Skelton released the payroll data in an apparent act of revenge following a disciplinary investigation into his use of post facilities, it seems unlikely a court would find either of these criteria fulfilled.
However, should the court find there is a sufficiently close connection, damages would be awarded on the basis an individual should be placed back in the situation that they would have been had the breach not occurred. This would include compensation for any financial loss, such as that resulting from identity fraud caused by the leak. Damages for mental distress may be available if aggravated damages are awarded, which can sometimes be the case where the cause of the loss involved deceit.
Breach of the DPA
As a data controller, Morrisons is subject to the requirements of the DPA, which includes the requirement to process personal data fairly and lawfully and for organisations to take appropriate measures to prevent unauthorised or unlawful processing of personal data. Under section 13 of the DPA, an individual who suffers damage by contravention of these duties by a data controller is entitled to compensation.
Previously, compensation for distress for breach of the DPA was only available where the individual had also experienced damage, such as identity theft. However, the recent case of Vidal-Hall v Google found that in fact no financial loss needs to be suffered before compensation can be awarded for distress. This change is in line with the upcoming GDPR which allows for compensation to be claimed where a person has suffered “non-material damage” as a result of infringement of the regulation, which would include a data leak.
Protecting your Data
There are many ways in which organisations can act to protect the data they hold. The following steps are advisable to minimise the risk of information security breaches:
(a) implement a clear Data Protection Policy;
(b) train employees to ensure they understand their obligations;
(c) control access to confidential information on a need-to-know basis;
(d) protect personal and sensitive information, such as using encryption tools;
(e) restrict what and how data is shared, such as prohibiting use of portable storage devices;
(f) prepare a robust Breach Management Plan so that you can respond quickly to any breaches; and,
(g) evaluate the causes of any breaches that do occur, making changes to prevent further breaches occurring.
As the above case of Morrisons shows, a failure to properly protect data can have serious consequences. Morrisons is reported to have spent £2million on addressing the leak so far and potentially now face the prospect of paying out compensation to a large number of employees. It is therefore worth being mindful of the above steps, and to keep data protection a key priority.
For further information relating to any issues raised in this blog please contact your usual contact in the Employment and Pensions team.