Data Protection Update: Morrisons Supermarket Responsible for Data Breach Caused by an Employee

The High Court in England and Wales has issued its long-awaited judgement on the Morrison’s data breach, an action that was brought by 5,518 employees. The judgement provides employers with plenty of food for thought as the court found Morrisons vicariously liable for the act of its rogue employee, despite the Court finding that Morrisons had not failed in its duties.

The Facts

In 2014 Morrisons became aware that a file relating to 99,998 employees’ personal data had been shared on online by a senior online IT auditor who had been harbouring a grudge due to a previous disciplinary. The file (which had also been sent to several national and local newspapers) contained employee names and addresses, dates of birth, bank account details. Morrison’s was alerted to the web page by one of the local newspapers and had the link taken down within a few hours.

The employee was subsequently arrested and convicted to 8 years imprisonment for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA).

A claim was then brought against Morrison by its employees which alleged:

  • claim compensation both for breach of statutory duty (under Section 4(4) of the DPA) and at common law (the tort of misuse of private information, and equitable claim for breach of confidence).
  • The claims are put on the basis that Morrisons has both primary liability for their own acts or omissions, and secondary (vicarious) liability for the actions of one of their employees harming his fellow workers.
  • In respect of the DPA, primary liability is said to be absolute or strict, rather than a qualified liability only arising if Morrisons failed to observe appropriate standards: but in the circumstances that the DPA does not impose liability, it is asserted that in any event Morrisons failed to observe those standards and is liable on that alternative basis

 The main queries dealt with by the Court were:

  • whether an employer is liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web,
  • whether under the DPA 1998, an action for breach of confidence, or in an action for misuse of private information.

 Conclusion:

It was held that:

  • The DPA does not impose primary liability upon Morrisons.
  • Morrisons are not at fault by breaking any DPA principles, apart from one:
    • Morrison fell short of their duty of principle 7 of the DPA in respect of not having an organised system for data deletion for guarding against unlawful disclosures/ data loss – but this neither caused nor contributed to the data breach.
  • Morrisons were vicariously liable, as they were responsible for the actions of their employee during the course of his employment.

Implications for Employers

This English decision could leave the door wide open for claims brought by employees that have been victims of data breaches. However, there was a tone of reluctance from Mr Justice Langstaff to find Morrisons liable, and he gave Morrisons leave to appeal, so watch this space.

In any event, employers will have to think about how they balance employee surveillance with the right to privacy. We will be updating you on the General Data Protection Regulation which comes into force on 25 May 2018.

In the meantime, if you need any assistance regarding Data Protection you can get in touch with Sophie Graham and Emma Arcari.