Data breach claims and the rogue employee

The recent case of Morrison's v others concerned Mr Skelton, a former employee who had been disciplined for minor misconduct. As a consequence, he developed an irrational grudge against Morrison's which led him to publish on the internet, the names, addresses, gender, date of birth, phone, national insurance numbers, bank sort codes and account numbers of almost 100,000 former and current employees. He had been given access to this information as part of Morrison's auditing team. Over 9,000 of those employees brought a claim against Morrison's for breach of its duty to safeguard their data under the Data Protection Act, contending that Morrison's was liable for the breach. Both the High Court and the Court Appeal agreed that Morrisons was liable for the breach. Morrison's took the case to the Supreme Court who reached a different conclusion. They concluded that the employee went too far outside what he was authorised to do. His motives were irrelevant. He was not engaged in furthering his employer's business when he committed the wrongdoing. He was acting on his own account. Consequently, Morrison's was not liable. Mr Skelton would of course be liable, but it is unlikely he would have the means of assets to satisfy any claim for compensation or costs. He also committed several offences and was imprisoned as a result.

The Data Protection Act 2018 makes the General Data Protection effective in the UK and it requires organisations to take appropriate steps to protect data. GDPR does impose an obligation on organisation to be more careful by restricting employees access to sensitive data. If for example Mr Skelton had been employed as a checkout assistant and then gained access to this data, the position may have been entirely different. Morrison's succeeded because Mr Skelton had been engaged as part of the auditing process and therefore had legitimate access to this information and because the Court found Morrison's had not itself fallen short of the required standards.

Other obvious examples where a company would be liable would include any employee mistakenly sending out data to the wrong address whether that be by post or email. An external contractor being engaged by the organisation (for example a cleaner or handyperson) getting access to sensitive data at a surgery or other setting holding sensitive personal data and then distributing it could result in claims against the individual and the organisation is likely to find itself liable for failing to take appropriate measures.

If you have suffered a data breach and you believe it is occurred because of failure to protect your data or the organisation is not taken appropriate measures to protect it, you may have a claim for damages. Please contact us for no obligation advice on whether you may have a claim.