Morrisons has vowed to take its hack liability fight to the UK Supreme Court after failing to convince Court of Appeal judges it should not be held responsible for the actions of a rogue employee who leaked the supermarket's entire payroll via Tor.
The under-fire chain is battling a class action lawsuit brought by 5,000 of its current and former employees, who were enraged when angry IT auditor Andrew Skelton dumped all 100,000 workers’ details online.
Lord Justices Bean and Flaux, as well as Sir Terence Etherton, Master of the Rolls and one of the most senior judges in the land, handed a ruling down in London yesterday that rejected Morrisons’ appeal against the High Court’s December 2017 ruling that the supermarket was vicariously liable for Skelton’s criminal actions.
Vicarious liability is the legal term for holding someone responsible for someone else’s actions. As arbitration service ACAS explains, in the workplace an employer can be held vicariously liable for blunders committed by employees “in the course of their employment”.
“The vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded” by the Data Protection Act, ruled the Court of Appeal. Data protection barrister Anya Proops QC had argued on behalf of Morrisons that the DPA does not let employers to be held vicariously liable for deliberate breaches committed by workers – a line of argument the judges rejected in short order.
Proops also argued that because Skelton’s motive was to harm Morrisons rather than make a gain for himself (for example by blackmailing it), if the court ruled against the supermarket, it would “render the court an accessory in furthering Mr Skelton’s criminal aims” of causing it damage, something the Court of Appeal also rejected.
As for the repercussions of setting a legal precedent that can be held against companies for years to come, the judges merely said: “The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result.”
Morrisons itself told us:
Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that's why we will now appeal to the Supreme Court.
Skelton, the data thief, was an IT auditor for Morrisons. He was disciplined by the company for using its postal facilities for himself, something that left him holding a grudge. After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick. He then posted all 99,998 Morrisons employees’ personal details on a file-sharing site, linked to it from various other places, then sent CDs containing the data to three newspapers. One, the Bradford Telegraph and Argus, published nothing and told Morrisons straight away.
Skelton was arrested after a few days and in 2015 was jailed for eight years for fraud, securing unauthorised access to computer material and disclosing personal data. ®