Surprise Court of Appeal judgment leaves Morrisons vicariously liable for huge data breach

The increase of large-scale civil litigation is one undeniable consequence of the recent changes in data protection law. One of the most significant recent actions has followed the data breach by Morrisons supermarket, where a disgruntled former employee stole data from nearly 100,000 employees and posted it online. The data was sensitive personal information including National Insurance numbers and bank account details. The Information Commissioner’s Office (ICO) decided against enforcement action, but 5,500 employees affected decided to take their own action.

The December 2017 judgment in the matter of Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 found Morrisons itself innocent of any data breach and, save for one minor issue, declared its data protection measures adequate. However, the supermarket was held vicariously liable for its former employee’s actions. Against the latter Morrisons appealed.

The supermarket argued that this breach was covered by the Data Protection Act 1998, to which vicarious liability does not apply, and which excludes common law causes of action for misuse of private information and vicarious liability for such. In essence the argument was that vicarious liability was unfair when it had been proven that Morrisons had all necessary data protection mechanisms in place, and an impressive legal argument was compiled to support their case.

It came as something of a surprise, therefore, when the Court of Appeal dismissed Morrisons’ appeal. In its judgment it considered that the DPA 1998 does not entirely exclude vicarious liability, and it rejected the argument that there had been any attempt by Parliament to exclude common law actions. An additional ground on which Morrisons had appealed - that the breach had occurred after the rogue employee had left the company and, therefore, there could be no vicarious liability - was similarly dismissed by the Court.

The Court of Appeal acknowledges the potential risk that such a judgment poses for businesses from the actions of rogue individuals, but it argues that this is a matter to be resolved through companies having adequate insurance, as would be the case with malicious or dishonest employees.

Morrisons has stated that it will now take the matter to the Supreme Court.

We've written several guides and articles about data breaches... 

CYBERSECURITY SERIES: IDENTIFYING CYBERSECURITY BREACHES

MAJORITY OF UK FIRMS NOT INSURED AGAINST SECURITY BREACHES AND DATA LOSS

CYBERSECURITY SERIES: RECEIVING A BREACH NOTIFICATION FROM A SUPPLIER - OBTAINING INFORMATION

CYBERSECURITY SERIES: RECEIVING A BREACH NOTIFICATION FROM A SUPPLIER - COMPLYING WITH NOTIFICATION OBLIGATIONS

CYBERSECURITY SERIES: RECEIVING A BREACH NOTIFICATION FROM A SUPPLIER - COMMUNICATING WITH CUSTOMERS