The ruling that Morrisons was vicariously liable for a rogue employee’s data leak has implications for all retailers, writes lawyer Richard Hayllar.
This week Morrisons lost its appeal against the decision that it should be held vicariously liable for the actions of a rogue former employee, who maliciously released personal data of over 100,000 employees onto the internet.
Morrisons says it plans to appeal to the Supreme Court, but as it stands, every employee affected could potentially be entitled to damages – including for non-financial losses such as distress.
With every business still coming to terms with their new legal obligations under GDPR, the timing of this case is important. The significance is hard to ignore.
Businesses will already have invested significant time and resources in the technology and skills needed to avoid a data breach and minimise the impact if the unfortunate happens.
The Court of Appeal’s judgment in the Morrisons case should sound warning bells for every retailer in the UK. The case highlights that an employer can be held vicariously liable even where there has been significant investment and adequate and appropriate data protection controls and policies are put in place.
Is this fair? That debate is likely to rumble on inside and outside of the courts for months.
Where to invest
What we do know is that the adequate protection of data in today’s business and legal environment requires businesses to look beyond IT, into the peripheries – including employment and incentives – to ensure that their data protection strategy supports the business financially, operationally and reputationally.
There are five key areas of investment that can help protect retailers:
1. Technology – technology solutions have developed to help businesses tackle today’s gravest security risks, from locking down permissions to identifying certain kinds of behaviour. Further investment in AI will be required to keep pace with the latest risks (particularly in large organisations).
2. Policies and procedures – businesses will also need to review and consider any changes needed to policies and procedures to help minimise the risk of a data breach.
Where sensitive data is involved, policies may need to be changed to limit the number of employees with access to this information and set strict guidelines as to how it is to be used and shared. HR policies may need to be reviewed in situations where an employee raises a grievance, particularly where that employee has access to sensitive data.
3. Training – additional training for HR teams, senior managers and supervisors might be required to help identify the areas of risk within the business and to ensure effective management of employees handling data.
4. Insurance – this option was highlighted by the court and may be an additional cover that businesses need to consider. The cost of any such insurance will no doubt increase as a result of this decision. However, data loss is not just a financial concern; it is a grave reputational issue.
5. Reputation – many companies that have suffered a data breach have seen a significant impact on their brand, share price and customer loyalty.
Businesses need appropriate plans in place to ensure that, if a breach happens, they can comply not only with their regulatory requirements (eg, reporting the incident to the ICO within the required timeframe) but also minimise the negative impact on reputation and customer confidence.
Is it worth a business making this investment? Absolutely, yes.
The big question for retailers will be how to adequately protect data without creating any unnecessary friction between utility and protection. Data is a prized commodity in any modern business, but with such high a value comes equally high responsibilities.
Richard Hayllar is a partner at law firm TLT