In the first ever class action for a data breach in the UK, the High Court has found that WM Morrisons Supermarkets PLC was vicariously liable for a deliberate disclosure of personal data by a rogue employee who had a grudge against his employer. The employee committed a criminal offence by his actions and was sentenced to eight years in prison. He deliberately disclosed the personal information of about 100,000 of his co-workers onto a file sharing website.
Morrisons were found liable for the employee’s actions, even though this was exactly what that employee wanted to achieve – financial and reputational damage. Morrisons is going to appeal, but unless the case is overturned, it could be extremely expensive for Morrisons. It could also have worrying consequences for other employers who find that an employee has disclosed data without their knowledge or consent.
The court found that Morrisons had appropriate measures in place to keep information secure. Although Morrisons could have had a better process for deleting information, the court found that this did not lead to the disclosure. Morrisons were found to be liable for policy reasons, rather than because of their actions. The reason for the decision was to protect the data subjects – in this case the Morrisons’ workers who had their data shared on the internet. The court wasn’t moved by Morrisons’ arguments about the financial consequences of vicarious liability. It thought that many companies would take out insurance to cover these sorts of claims.
The new data protection laws implementing the GDPR which come in soon and increase liability for employers and data processors, will also raise the financial stakes even more. We may see more class actions for compensation too. This is definitely a case to watch closely on appeal.