Back in 2014, long before dabbing, flossing and GDPR, Andrew Skelton, senior auditor at Morrisons’ headquarters, leaked the payroll data of around 100,000 colleagues on to the internet. Although Mr Skelton received a custodial sentence for his activities, his employer Morrisons also found itself at the sharp end of a group action of over 5,500 of their employees seeking compensation for the distress caused due to the loss of data and the risks that flowed from it.

Morrisons claimed that it was not responsible for the actions of its disgruntled former employer, who they claimed was acting outside the scope of his employed work when he leaked the data.

Late in 2017 the High Court found in favour of the employees and held Morrisons vicariously liable for the actions of the employer. Without delay, Morrisons pushed to appeal the judgement, and this week the Court of Appeal upheld the former judgement – Morrisons was liable for the leak of the data by its disgruntled employee.

Although more appeals may yet follow, the judgement is considered “bewildering” by cyber practitioners and lawyers. It creates a strict, high burden upon employers to ensure that they provide appropriate safeguards to protect “sensitive personal information”.

Morrisons stated optimistically that “it has not been blamed by the courts for the way it protected colleagues' data”. Although the Court made reference to the “potentially ruinous” amounts of claims that may arise from these breaches, the judges felt that business insurance was an adequate safeguard.

Prevention is better than cure – speak to Grant Thornton’s cyber experts today to conduct a cyber health check and be alerted if your employees steal your data or put your business at risk.