What are you looking for?

15 January 2018 | Comment | Article by Louise Price

Vicarious liability for data breaches


In the first ever class action for a data breach in the UK, the High Court has found that WM Morrisons Supermarkets PLC was vicariously liable for a deliberate disclosure of personal data by a rogue employee who had a grudge against his employer. The employee committed a criminal offence by his actions and was sentenced to eight years in prison. He deliberately disclosed the personal information of about 100,000 of his co-workers onto a file sharing website.

Morrisons were found liable for the employee’s actions, even though this was exactly what that employee wanted to achieve – financial and reputational damage. Morrisons is going to appeal, but unless the case is overturned, it could be extremely expensive for Morrisons. It could also have worrying consequences for other employers who find that an employee has disclosed data without their knowledge or consent.

The court found that Morrisons had appropriate measures in place to keep information secure. Although Morrisons could have had a better process for deleting information, the court found that this did not lead to the disclosure. Morrisons were found to be liable for policy reasons, rather than because of their actions. The reason for the decision was to protect the data subjects – in this case the Morrisons’ workers who had their data shared on the internet. The court wasn’t moved by Morrisons’ arguments about the financial consequences of vicarious liability. It thought that many companies would take out insurance to cover these sorts of claims.

The new data protection laws implementing the GDPR which come in soon and increase liability for employers and data processors, will also raise the financial stakes even more. We may see more class actions for compensation too. This is definitely a case to watch closely on appeal.

Disclaimer: The information on the Hugh James website is for general information only and reflects the position at the date of publication. It does not constitute legal advice and should not be treated as such. If you would like to ensure the commentary reflects current legislation, case law or best practice, please contact the blog author.

 

Next steps

We’re here to get things moving. Drop a message to one of our experts and we’ll get straight back to you.

Call us: 033 3016 2222

Message us