Morrison Supermarkets Dropped In It Again! Look Out Data Controllers. Look Out Insurance Companies. And Indeed, Look Out, Everyone Who Pays For Insurance.
The Court case described in this Blog is very timely, for me, since it directly deals with the obligations and liabilities of Companies and individuals in relation to Data Handling, Data Storing and Data Protection, the subject of my most recent two Blogs, Link Here and Link here.
And also you may remember my fairly recent Blog when I wrote about what seemed on the face of it to be a very unfair case from the point of view of the Supermarket. Link to my Blog. Link to the case report. Mr Mohamud –v- WM Supermarkets plc
This was the case of an employee of Morrison working in one of their petrol service stations who seemed to take exception to being asked if he would be willing to print out from a USB stick. A polite “No” would have done it. But, he attacked and beat his customer.
Hardly what he was employed to do.
However I suppose that if Morrison had not been held liable then the poor customer victim would probably have been quite unable to obtain compensation for his injuries. Possibly, as a rule of thumb, maniacs who work in petrol stations and subject random customers to random violence, are not the kind of people most likely to have “high net worth”.
Now this month it turns out that Wm Morrison Supermarkets plc doesn’t seem to be the luckiest when it is comes to defending claims of vicarious liability – just now in the past week they have lost another one, this time in the area of Data Protection.
The facts seem similar – an employee who was trusted to do his job properly, suddenly turned rogue.
In this case, Mr Skelton was a trusted employee in the IT and data handling department of Morrisons, trusted to liaise with the Company accountants and supply sensitive data when necessary.
Although the Company knew that Mr Skelton had recently been disciplined for sending his own personal postage through the firm’s post room [even though he had paid for the stamps he used] and also knew that he felt that the treatment he had received was unnecessary and unfair, it had no reason to suppose that ideas of revenge would lead him to release the entire employee personal database contents onto the internet.
The Court heard that Mr Skelton has been jailed for eight years. He has denied the charges, but the Courts are satisfied that he deliberately intended to cause financial and reputational harm to Morrisons.
Indeed, Morrisons has already spent over £2million in rectifying the data breach both internally and on the internet, so he has deliberately cost them that money.
Of course, he also risked causing untold damage to the over 100,000 supermarket employees whose salaries, bank detail and NI Numbers he sent to newspapers and posted on data sharing websites, exposing each and every one of them to the risk of data theft which is on-going.
A full transcript of the Court case decision is here – link here – I found it fascinating, almost like a novel, in setting out what has happened, and what should be done about it and why.
The first Court decision is, that Morrisons are not themselves in breach. Of all the possible reasons why they might have been found in breach of the Data Protection rules, only one stood up to merit any kind of examination, this an alleged breach of Data Protection Principal No. 7.
Which says “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”
And after considering that in the context of the particular case, the Judge found that – yes – there is room to criticise Morrisons in that PP No 7 requires “appropriate technical and organisational measures” and in this case the court did not find a measure in place to require Mr Skelton to both delete the sensitive data after a reasonable time nor that he was required by Morrisons to prove that he had done so. BUT see paragraph 120 of the judgment: the Court also found that this “failure” neither caused nor contributed to the data breach.
So, there is it, – subject to only one failing which was not material , the Court found that Morrisons had done nothing wrong.
But that is not the end of the case. Just like in the case of Mr Mohamud, where Morrisons had done nothing wrong either.
Because the law is the law, and it includes the concept of vicarious liability —-
For example, in an engineering works, imagine that the Management requires machines to be used only with safety guards in place. Staff are regularly reminded of this, there are signs all over the place. Then, because he is under pressure, or whatever, a worker A uses a machine without a guard and worker B passing by is hit by hot metal from the machine and blinded. A guard in place would have prevented that. Worker A is behaving in a way the management would never condone. Worker A will get into trouble, might be sacked, and management has tried as hard as it reasonably can to prevent this happening, but the management is vicariously liable.
Unfair on management, fair on worker B, it’s the law.
What may send a quiver of worry through businesses and insurance companies alike is the rather scant regard the Judge gives to worries that these data protection cases might bankrupt your business, or cause huge increases to your insurance premiums.
He says in para 158 – “I note that I have not been referred to a single case in which it is said that vicarious liability had overwhelmed a company. I HAVE NO DOUBT THIS IS BECAUSE MANY COMMERCIAL ENTITIES WILL COVER THE POTENTIAL LOSSES BY APPROPRIATE INSURANCE WITHIN THE ORDINARY COURSE OF TRADING.”
So that’s all right then, eh?
Motto is, eyes like hawks at all times.
But managing employees is an exercise in herding cats, and the cleverer they are the harder it can be.
If your employees are holding mad grudges and are determined to fool you and to “take revenge upon you”, for the time being at least [pending an appeal] it seems that you will have to pay in the end.
No doubt insurance companies are sharping their pencils to increase premiums on data protection insurance matters, as you are reading this.
Final thoughts: – there is no doubt the Judge has real concerns about all this.
He has not failed to notice that in finding against Morrisons, he is doing exactly as Mr Skelton hoped he would.
Para 198, “The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.”
Food for thought, when it is the law which is giving this criminal what he wanted.
The case decision contains the words that “no earlier case of vicarious liability has gone quite so far as this one in holding an employer liable for the consequences of an act of an employee designed specifically to harm that employer.”
[Compare the more usual case, of the unguarded machine say. There, the careless worker would probably have been trying to maximize production and minimise delays, which would ultimately benefit the employer. Also, the management could have done more. Machines can be set up to be inoperative if the guards are not in place.]
The Judge is clearly not pleased to be Mr Skelton’s accomplice. Nor that the facts of this case might give comfort to malcontents nutters and even terrorists seeking ideas to undermine the financial stability of companies from within.
Funny old world, innit.
Here’s the song [ It’s not my fault ]
And as ever – our message to you is, for documents for use around the world do contact me or Louise Morley here at AtkinsonNotary E7 Joseph’s Well Leeds LS3 1AB, phone 0113 8160116 and email firstname.lastname@example.org or via the website http://www.atkinsonnotary.com