Court of Appeal upholds decision to find Morrisons vicariously liable for data breach

Morrisons vicariously liable for data breach by rogue employee.

What's the issue?

In December 2017, supermarket chain Morrisons, was found vicariously liable by the High Court for the actions of one of its then employees who leaked the personal data of around 100,000 employees in a deliberate attempt to damage the company.

A class action was brought by 5,518 employees with ten lead claimants. In the first ever group litigation data breach case to be heard by the UK courts, the main issue to be decided was whether the data controller Morrisons, was either directly or vicariously liable for the actions of its employee.

The Court held that, save in one minor respect, Morrisons had used adequate security to protect the personal data and had suitable employee vetting procedures in place. While Morrisons was not implicated in the misuse of the data, and, was not therefore, directly liable, it was, nonetheless, liable to compensate all the claimants in the group on the basis of the application of common law vicarious liability principles. This was despite the fact that the misuse was held to have taken place with the express purpose of damaging Morrisons.

This decision caused widespread concern because an 'innocent' data controller was found vicariously liable for the actions of a malicious actor. The decision was not specific to then current UK data protection law but based on common law liability principles.

What's the development

The Court of Appeal has upheld the High Court decision that Morrisons was vicariously liable for the actions of the disgruntled employee.

Morrisons appealed the High Court decision, arguing that the Data Protection Act 1998, excluded common law causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same. Where the DPA and common law came into conflict, statute should prevail. The Court of Appeal disagreed, holding that the DPA would have expressly excluded common law actions had it intended to do so.

Morrisons also argued that the High Court had been wrong to conclude that the wrongful acts of the employee had occurred during the course of his employment as the personal data was disclosed when the employee was at home. The Court of Appeal said that there was a seamless and continuous sequence of events and there was sufficient connection to the employee's employment.

Morrisons is seeking to appeal the decision.

What does this mean for you?

This decision places data controllers in the liability frame even when they have done everything possible to prevent a data breach. This not due to a change in the law but because this is the first occasion on which a class action relating to data breaches has come before the courts, so we may see an opening of the floodgates.

The Court of Appeal did consider the fact that the employee's intention had been to damage Morrison's and that, therefore, rejecting the appeal served to further the employee's aim. However, it said that were it to uphold the appeal, it would potentially remove a possible cause of action in cases where there had been no such intention behind the data theft, for example, where one employee had stolen the bank details of another employee in order to steal money from the account, the second employee would only be able to seek redress from the first employee.

If Morrisons is eventually required to pay damages, the amounts are unlikely to be high on a per person basis. The current claim was brought by around 5,000 employees but around 100,000 were affected by the breach and the final total could add up to something more significant (not to mention the court costs involved).

The Court of Appeal suggested that employers protect themselves from vicarious liability for data theft by their employees through insurance but currently available insurance products do not necessarily provide adequate cover. This makes it all the more important that employer data controllers obey both the letter and the spirit of data privacy law. They may not be able to prevent breaches of this kind but should hopefully be able to minimise opportunity and potential harm to individuals in the event of a breach and would be unlikely to recover their losses.