15th December 2017
The Morrisons high court ruling leaves door open for class actions should businesses fail to plug payroll data leaks.
December 2017 saw a landmark court decision in the long running debacle following Morrisons huge payroll leak. More than 100,000 employee’s names, addresses, bank and salary details were stolen and published.
Morrisons continues to reel from the initial outcry and huge reputational damage that keeps surfacing following the incident in 2014. This class action of nearly 6000 employees could now see substantial financial exposure on top of the estimated £2m the company has already paid in costs. Morrisons is appealing.
How did this payroll data leak occur?
In 2014 a senior internal auditor at Morrisons, Andrew Skelton, became disgruntled with his employer. This followed allegations of dealing legal highs from Morrisons head office in Bradford. His retaliation was to post the details online and to newspapers.
After being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data, Skelton was jailed for eight years in 2015.
Surely my business can’t be held responsible for this type of payroll fraud?
This case and ruling is the first data leak class action in the UK. The ruling sets a worrying precedent for businesses, making a business liable and allowing those affected to claim compensation.
In summing up the judge, Mr Justice Langstaff, ruled that Morrisons was vicariously liable. ACAS defines this as “a situation where someone is held responsible for the actions or omissions of another person. In a workplace context, an employer can be liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment.”
IRIS FMP see this ruling as being of huge importance, particularly in the run up to GDPR in 2018. Some industry commentators are waiting to see whether companies that have experienced some sort of data loss come clean now. Coming clean now before the change in law in May is in the hope of lessening punitive fines that could arise after that date.
How can I stop this payroll data issue?
With GDPR on the horizon you can find some top tips here about preventing payroll fraud. Smaller companies are often at risk with shared passwords and systems. Any professional payroll provider would already have this covered off.
Ask them if they are ISO 27001 compliant and hold Payroll Assurance Scheme accreditation. If they haven’t got those accreditations you’re on a rocky road. Protecting your payroll data has never been so important. Why take the risk in 2018?