Morrison's Data Breach
Morrison’s supermarket loses its appeal against the UK's first ever data protection class action
For those not in the know, in 2014 a disgruntled former employee of Morrison’s Supermarkets deliberately, and criminally, exploited his legitimate access to Morrison’s databases, stole and then posted online the personal details of almost 100,000 Morrison’s employees. The data he stole included names, addresses, genders, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers, and salary details. That former employee was later jailed for eight years for his offences, but group litigation was commenced by 5,518 affected employees against Morrison’s.
In the first instance, the High Court judge found that, despite Morrison’s having adequate data security measures, they were still vicariously liable for the rogue employee's actions.
Morrison’s then appealed to the Court of Appeal. This appeal was heard on 9 and 10 October and the decision was handed down yesterday. The appeal focussed on the following three grounds:
1. Vicarious liability does not apply to the Data Protection Act 1998
2. The Data Protection Act 1998 excluded common law causes of action (such as vicarious liability, misuse of private information and breach of confidence)
3. The judge was wrong to conclude that the wrongful acts of the rogue employee occurred during the course of his employment by Morrison’s, and, accordingly, that Morrison’s was vicariously liable for those wrongful acts
Morrison’s essentially argued that where statute (i.e. the Data Protection Act 1998) and common law (i.e. vicarious liability) came into conflict, the statute should take priority and override the common law.
The Court of Appeal did not agree. They held that the Data Protection Act 1998 did not exclude the common law in relation to misuse of private information and breach of confidence, and that it had not been Parliament's intention to exclude them when the Data Protection Act 1998 was enacted. It found that the former employee was acting within the range of activities assigned to him as a Morrison’s employee, creating a chain of events between his activity as an auditor and his criminal action. As such Morrison’s was vicariously liable for their rogue employee's actions.
This ruling now means that the 5,518 employees affected could now seek compensation from the supermarket.
So what is an employer to do? Morrison’s had data security measures in place; the measures they adopted were deemed adequate by both the ICO and the court, yet an employer could still be liable for the criminal actions of a rogue employee. The Court of Appeal took the view that the answer is found in obtaining adequate insurance against these risks, and that employers can likewise insure against losses caused by dishonest and malicious employees.
It’s not over till it’s over.
Morrison’s has stated it intends to appeal this matter to the Supreme Court – so watch this space!
If you would like to read the Court of Appeal's ruling, please click here.
If you have any queries regarding anything touched on in this article, or if you would like further information, please contact Matthew Holman, or give us a call on 0345 070 6000.