Anyone who has handled the GDPR transition will be well aware of Morrison’s data leak. For those that aren’t, Andrew Skelton, a disgruntled employee who had access to payroll data, posted sensitive personal data of over 99,000 employees on a file sharing website. This was done to try and frame a colleague with whom he had a grudge against.
The data published included bank information, NI numbers, addresses and phone numbers. The employees whose data was published thankfully suffered no loss but the data could have been used to access their bank accounts and commit identity fraud.
Over 5,000 of the affected employees have since brought a claim against Morrison’s who they believe have vicarious liability for Mr Skelton’s actions. The High Court agreed and so did the Court of Appeal. Morrison’s has since stated it will appeal to the Supreme Court.
One point mentioned in the High Court judgment was that the Court was wary of aiding Mr Skelton achieve the outcome of his crime; punishing Morrison’s for Skelton’s actions. However, ultimately the responsibility for data breaches lies with the employer.
Additionally, there are further steps that could be taken to prevent data breeches. In this case, the data was copied from one memory stick to another. Having some form of encryption that would prevent the copying of data or the insertion of a second memory stick would reduce an employer’s liability for any data breach.