What the Morrison’s case tells us about data breach liability

This week the supermarket Morrisons lost its case at the Court of Appeal over the 2017 judgement that it has “vicarious liability” over a data breach in 2014.

The data breach was caused by a disgruntled employee who leaked employee’s payroll information on the internet back in 2014. The employee in question is now serving a prison sentence and whilst Morrisons were able to demonstrate they were not the cause of the breach (i.e. they had appropriate security in place, etc.), in December 2017 they were found to have responsibility to their employees for the breach (even though it wasn’t their fault).

The court found in favour of the employees and declared that Morrisons would have to pay damages to the employees affected. Morrisons said at the time they planned to appeal the case, which is what happened this week, but the Court of Appeal found again in favour of the claimants and against Morrisons. Morrisons say they will take the case further to the Supreme Court. In a statement, Morrisons said:

A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.

Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.

We believe we should not be held responsible, so that’s why we will now appeal to the Supreme Court.

When businesses think about data breaches from a GDPR and data protection perspective the focus is usually on addressing the requirements set out in the GDPR around whether the breach is reportable to both the regulator (the ICO in the UK) and the data subjects themselves, with an underlying worry about what the consequences (from a fine, legal remedy perspective) might be particularly if the regulator is involved.

Of course along with fines, one of the remedies available to the data subjects is to seek compensation for damages caused by the breach. The intention here in the law though is about data subjects suing for damages due to a data controller’s direct breach of data protection rules. In the Morrison’s case though, Morrisons weren’t to blame directly – it was the employee’s fault, not Morrisons’.

The Morrisons case is the first of its kind in the UK. What it tells us though is three things:

  1. you might have the tightest data security within your organisation but, as is often the case with cyber-security, you can’t protect against the independent actions of your employees – no amount of data protection compliance is going to prevent a rogue employee acting in their own interest
  2. you’ll need to consider what other options or contingencies exist to protect your business from such claims – maybe insurance is the answer
  3. if Morrisons’ case fails in the Supreme Court, the flood gates may open for further class actions