In a significant decision the Court of Appeal has ruled that an employer may be vicariously liable for data breaches even where the employer itself is not at fault under data protection laws and the breach is motivated by a rogue employee intent on causing the employer harm.

The case of Wm Morrison Supermarkets plc v Various Claimants [2018] EWCA Civ 2339 involved a disgruntled employee of the supermarket who was employed as a senior IT internal auditor. Going “rogue” he went online and posted the personal data of 99,998 colleagues. This personal data included names, addresses, dates of birth, phone numbers, national insurance numbers, bank account details and salary information. For his crimes the employee was arrested, charged, convicted and sentenced to 8 years in prison.

Unfortunately for Morrisons that is not the end of the story. As part of a test case, 5,518 employees issued a group claim… and won. The Court of Appeal found there was sufficient connection between the position of the employee and his wrongful conduct to make it right for Morrisons to be vicariously liable, whether for breaching duties under the existing data protection legislation at the time, misusing private information or breaching the duty of confidence. The relevant data protection legislation at the time was the Data Protection Act 1998 but similar principles apply under GDPR and the decision would be the same if it happened today, although the level of compensation would likely be even higher.

The Court of Appeal’s suggestion as to how to protect against catastrophes caused by dishonest or malicious employees is for employers to take out insurance.

The particular problem for large employers is not the level of compensation per employee, which is relatively modest, it is the colossal number of employees – 99,998 in the Morrisons case – who may be impacted by just one breach and who each may have a claim. The alarming frequency with which the media reports massive data breaches by household names means that this judgment has serious implications. It is why Morrisons are expected to challenge the decision in the Supreme Court. We will be watching for the appeal and provide an update on any developments in due course.

 

For further assistance or advice about the topics raised in this blog please contact our Employment Law Department either:-

 


Related Blog Articles