Blog

Morrisons_Supermarket

Morrisons Case – Data Breach from USB to Online

Data Breach at Morrisons

A recent case has highlighted the risk employers run when they ‘allow’ their employees to misuse personal data that they hold.

The data protection breach occurred after Morrisons asked one of its employees to send payroll data to its external auditors, KPMG.

This was a perfectly legitimate request and the process was fairly secure.

The employee received the data on an encrypted USB stick from Morrisons’ HR department.  He then copied the data to his laptop, which was also encrypted, and from there he copied the data to another encrypted USB stick that had been supplied by KPMG.

Once he had done this he returned the USB stick to KPMG.

USB - Data Breach

Where was the Data Breach

However, sometime later, the employee copied the payroll data from his laptop onto a personal USB stick.

He then posted a file containing the data on a file sharing website.

Following this the employee contacted three newspapers to say that he had found that Morrisons’ payroll data was openly available on the internet.

He apparently did this because he was annoyed that Morrisons had previously given him a disciplinary warning.

The data included the name, address, gender, date of birth, telephone number, national insurance number, bank account details and salary of almost 100,000 of Morrisons’ employees.

Data Breach Consequences

The effected employees brought claims against Morrisons.

They claimed that Morrisons was vicariously liable for what its employee had done and that Morrisons had breached the Data Protection Act.

Morrisons argued that it should not be held liable for the acts of an employee who had mis-used personal data.

Unfortunately for Morrisons both the High Court and then the Court of Appeal rejected its arguments and held that it was liable.  The courts said that, on the facts, there was a sufficiently close connection between the employee’s employment and his wrongful conduct for Morrisons to be found to be liable.

Morrisons will now need to compensate each of the effected employees and may face a fine from the Information Commissioner.

 

If you would like to discuss how we can help you navigate the data protection minefield, please call one of our employment law experts at either our Ipswich or Colchester office.

Article written by Adrian Green