What the Morrisons data leak ruling could mean for other businesses

If an employee leaked your company’s data, who’s liable?
If employees deliberately leak third-party data, employers might be more liable than they imagine.

A landmark court ruling could possibly leave some companies more liable in the event of an employee deliberately leaking data.

The ruling establishes the principle that companies can be vicariously liable for ‘inside-jobs’ perpetrated by their employees, on top of any primary liability if companies fail to look after their customers’ data. The ruling is the first successful class action for a data breach in Britain.

This type of mass claim could well become more common when the General Data Protection Regulation (GDPR) comes into effect in May 2018.

What happened

In 2014, a disgruntled Morrisons employee put online the names, addresses, bank account details, salaries and national insurance numbers of nearly 100,000 other employees. It cost the company more than £2 million in professional and legal fees to rectify the data breaches.

The ruling has implications for every individual and business in the country.

A group of 5,518 former and current Morrisons employees lodged a claim for compensation for the upset and distress caused. They said the leak exposed them to identity theft and potential financial loss and that Morrisons was responsible for breaches of privacy, confidence and data protection laws.

Morrisons said it could not be held directly or vicariously liable for the employee’s criminal misuse of the data.

The judge ruled that Morrisons was legally responsible for the data leak even though it was not directly to blame. The judge claimed that Morrisons had not been proved to be at fault by breaking any of the data protection principles, other than in one respect that did not cause loss.

The judge rejected, however, the argument that “no vicarious liability can be established”. The judge granted leave to Morrisons to appeal.


The ruling has implications for every individual and business in the country.

It suggests that – despite the breach being committed from within the company by a trusted employee, and the company being the victim of criminal activity – the responsibility for keeping personal data secure and confidential still lies with the company that decides how the data should be used.

25% of data breaches are reportedly caused by errors or malicious actions by employees or ex-employees.

Under GDPR, if an appointed data controller or employer could be held liable under civil law in connection with the unauthorised, criminal misuse of third-party data by an employee, it would have huge implications for anyone who processes personal data. As well as commercial enterprises, this could include charities, governmental bodies, self-employed professionals, clubs, associations and non-governmental organisations.

A specialist cyber insurance policy would cover the costs that stem from such an unauthorised access, including the costs of investigating the breach, the costs of notifying affected parties, as well as the legal defence costs.

First line of defence

A quarter (25%) of data breaches are caused by errors or malicious actions by employees or ex-employees, according to Verizon’s 2017 Data Breach Investigations Report. Companies should check whether they are taking appropriate steps to protect data and can respond to incidents that put data at risk.

The following practices may help you to reduce security breaches that relate to human behaviour:

• Create an effective security policy. This should clearly outline the company’s rules regulating the handling of data access and passwords, use of security and monitoring software and so on. Ensure that all employees are familiar with the policy and that it is effectively enforced.

Deny all data access by default and allow it whenever needed on a case-by-case basis.

• Educate your employees. Make your employees aware of risks that their actions can pose to your company’s security and educate them on how to best handle work in a secure manner. Training should be a continuous effort, not a one-off session. Make it interactive and include practical exercises to optimise engagement levels.

• Apply the principle of least privilege. Deny all data access by default and allow it whenever needed on a case-by-case basis. This will allow you to reduce the risk of accidental data leaks and data deletion by your employees.

• Support incident reporting. Create an environment where staff are comfortable immediately reporting any mistakes made by themselves or other members of staff.

• Identify bad habits. Identify bad practices quickly and take corrective action – before they spread through the workforce.

• Consider monitoring certain IT-related employee behaviour, specifically large downloads from the network (software is available that can help with this).


For more information, please contact Brett Warburton-Smith on:

+44 (0)20 7933 2242

Similar articles


How cyber security became an HR issue

HR and Compensation & Benefits specialists are set to join the growing number of professionals for whom cyber security is a priority.

Reputational Risk

Reputational risk climbs the corporate agenda

Businesses are becoming increasingly concerned about reputational risk and the severe impact it can cause to companies’ revenues and profits.

Cyber PI

How cyber risks are affecting the regional PI insurance market

With cyber attacks posing a growing threat to many professional service firms, insurers are asking more questions.

BA data breach: why other companies should beware

BA data breach: why other companies should beware

How the data breach is judged by regulators, and possibly by the courts, could tell us a lot about how GDPR might be applied to other UK companies.