A rogue employee at supermarket chain Morrisons committed a criminal offence by putting the personal information of almost 100,000 employees on the internet. The High Court ruled last year that Morrisons was responsible and its employees were entitled to compensation.
Morrisons spent £2m in addressing the leak and now, subject to their appeal of the High Court’s judgment today, face paying a significant amount of compensation to a large number of its employees.
The case is the first data leak class action in the UK.
Vicarious liability is the legal principle whereby one person is found liable for the unlawful acts of another. Employers can be liable for the actions of their employees, even where the employer has done nothing wrong.
Data breaches are a major concern for business. The General Data Protection Regulation (GDPR), requires businesses subject to major personal data breaches to notify such breaches to the authorities. As well as the legal liability, there is the prospect of substantial reputational damage for businesses which do not properly secure their customers’ or employees’ data.
In this case the employee was a senior internal auditor at Morrisons’ headquarters. He bore a grudge against his employer after being disciplined for using the company’s mail room to operate an eBay business. He leaked employees’ payroll data online and alerted a number of newspapers about the leak. The leaked information contained the bank account details, home addresses and telephone numbers of many employees, including checkout staff and shelf stackers.
The employee was later jailed for 8 years for his actions.
Around 5,000 of the affected employees brought claims against Morrisons for breach of the Data Protection Act 1998, misuse of private information and breach of confidence. While the company was not found to be directly liable under the Data Protection Act (as it was not acting as the data controller in relation to the leaked data at the time it was leaked), the High Court found that Morrisons was vicariously liable for breaches of duties under the Data Protection Act, misuse of private information and breach of confidence. Despite Morrisons not being aware of the employee’s misconduct until the leak took place, the High Court found that there was a sufficient connection between the employee’s illegal actions and his employment, as Morrisons chose (incorrectly) to entrust him with the confidential information and when he covertly copied the data, he was doing so in his role as Morrisons’ employee.
Morrisons' appeal has significant implications for other organisations, who could also be found liable to pay compensation for the acts of rogue employees
The case also emphasises the need for businesses to have a plan in place to deal with any data leak incidents and seek insurance cover for the same. Having a “dry run” to replicate a response to a rogue employee’s actions would be advisable. Businesses should also seek to restrict access to their most sensitive data to only those employees who have a genuine and strong need to access it, as well as ensure that all employees are trained on their obligations.
Please read Reliance on information posted in our Terms of Website Use - see Legal section - before relying on this commentary.