A ruling that UK supermarket chain Morrisons is ‘vicariously’ liable for a payroll data leak of almost 100,000 staff by a disgruntled former employee has many legal ramifications. It also has significant potential reputational implications.
To reiterate: Aggrieved that he has been discovered running an eBay sales business through Morrison’s mailroom, then senior auditor Andrew Skelton copied and uploaded the salaries, bank details, national insurance information, postal addresses and telephone numbers of nearly 100,000 of his colleagues to a file-sharing website.
Three months later, seemingly unable to attract a buyer, Skelton sent the data to three newspapers (all of which covered the story but refused to publish the data). Within days, Skelton has been identified and arrested. He was convicted and imprisoned in July 2015.
5,518 current and former employees subsequently decided to take Morrisons to court in the first data leak class action in the UK and, in December 2017, they won on the basis of vicarious liability (in which Morrisons, as his employer, was seen to be responsible for Skelton’s actions as the data controller). The ruling is seen as unusual as the leak did not result in any reported concrete financial loss for employees.
Legal commentators have noted that while the ruling can be contested at Courts of Appeal (Morrisons have confirmed their intention to appeal), and compensation is yet to be determined, an increase in data privacy class actions in the UK and a rise in legal payouts is now possible.
The ruling also potentially poses greater reputational risks for companies suffering employee-driven data leaks, including:
- The threat of significant negative media coverage as a result of class action litigation
- Increased scrutiny from regulators, politicians and other decision-makers
- The perception that leadership is insufficiently knowledgeable about and/or invested in IT/cybersecurity
- The erosion of staff loyalty and the company’s ability to recruit new talent
- Reduced customer loyalty and loss of sales.
As if they haven’t got enough on their plates with GDPR, the Morrisons data leak ruling adds to pressure on companies to:
- Reinforce their overall IT/cybersecurity governance and management
- Strengthen their Incident Response and Crisis Communications Plan(s)
- Enhance their leadership and employee data privacy communication, training and education programmes.
Plenty for communicators, as well as for company leaders, lawyers and IT/cybersecurity teams to sink their teeth into over the coming weeks and months.