Four years ago, Andrew Skelton, a senior internal auditor at the company’s headquarters, copied payroll data relating to around 100,000 employees onto a USB stick and later posted it online. He was said to be holding a grudge against the company following accusations of drug dealing at work.
The data included names, addresses, bank account details, national insurance numbers and salaries.
But while Skelton has already been given eight years in prison, the appeal court has now ruled that Morrisons is liable too – even though it couldn’t be deemed to be the data controller at the moment Skelton was uploading the data. Instead, the issue was vicarious liability, with Morrisons responsible for the actions of its employee.
“Suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally,” the judgement read.
It’s a decision that should send shivers down the spine of employers. Payroll data is about as personal as it gets, and potentially very valuable to criminals. And while this case related to events before the introduction of the EU General Data Protection Regulation (GDPR), that legislation could make the penalties for a breach even greater – up to €20 million, or 4% of annual global turnover, whichever is higher.
In this instance, Skelton did officially have access to the data he leaked. However, the case highlights just how important it is to keep the tightest-possible restrictions on the number of people with access to payroll information.
A good starting point is to have a clear policy on user authentication and authorisation, with carefully-specified access rights and privileges. It’s important, of course, to revoke these privileges as soon as an employee leaves.
There need to be tight controls on bring-your-own-device policies, external emails and – as the Morrisons case highlights – on the use of USB sticks. And it also helps enormously if data can be centralised on a single secure platform, rather than duplicated between HR and payroll departments or shared with third party payroll providers.
Interestingly, the appeal court judges acknowledged the difficulty faced by employers over vicarious liability. Unfortunately, though, their solution was to suggest that organisations should take out insurance against events like the Morrisons breach – a rather fatalistic attitude.
However, there’s still a chance that the judgement could be overturned, with Morrisons saying it plans to take the case to the Supreme Court.
Join us on our next webinar, where we will discuss the In System Authorisation and Rights and Roles Management features built into our Global Payroll Software.
Author: Emma Woollacott
Emma Woollacott is a freelance journalist specialising in business and technology. She writes regularly for the BBC, Forbes, Raconteur and other publications