Could your business be liable for a rogue employee’s data breach?


14 Feb 2019

Morrisons store in Brighton. Image: chrisdorney/Depositphotos

William Fry’s legal team explains how a case against Morrisons in the UK sets a new standard for data breach protection.

In the UK’s first group litigation case concerning a data breach, supermarket chain Morrisons has been held vicariously liable as an employer by the UK court of appeal. We at William Fry previously reported on the events that led to this case, which involved the actions of one rogue employee and ultimately led to a class-action-style case being taken by 5,518 Morrisons employees whose private information was published. The case concerns breaches of privacy and data protection laws, and claims were brought under the UK’s Data Protection Act 1998 (the UK DPA) as the data breach took place prior to the General Data Protection Regulation (GDPR) coming into force.

While Morrisons argued that it could not be held liable for the criminal misuse of its data, the UK court of appeal found that “the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by the [Data Protection Act]” and was therefore a viable course of action for the thousands of Morrison employees. The court found that “if Parliament had intended such a substantial eradication of the common law and equitable rights, it might have been expected to say so expressly”.

Morrisons is now facing large compensation costs. Interestingly, the GDPR and the Irish Data Protection Act 2018 potentially allow for similar claims concerning non-material damage such as emotional distress to be brought in Irish courts.

What can businesses do to protect themselves?

It is worth noting that the UK Information Commissioner’s Office (ICO) took the view that Morrisons had not breached the UK DPA and therefore could not be fined.

Morrisons was compliant with data protection legislation at the time and worked to remedy the leak quickly. Generally, businesses like Morrisons are required to have robust technical and organisational controls in place to ensure no misuse of personal information can ever occur. However, this may not be enough, and businesses should also have measures in place to guard against both internal and external privacy threats. The standard set by the Morrisons decision around rogue employees is a high one.

Mitigating such threats may now also involve protecting data subjects against the acts of employees, including criminal acts in violation of internal policies. The court found that where an employee has acted in their position to the detriment of others, the employer that entrusted them in that position should be held accountable. The misuse of the personal data by the employee in this case was found to be within his “field of activities” as there was an “unbroken chain” of events between his work activities and the data leak.

Where victims of a data breach would have no right to recourse other than against the perpetrator, the court of appeal instead suggested employers may be the most suitable party to be held accountable and that potential mitigation could be found by insuring against such “Armageddon or doomsday” scenarios.

Similar cases could follow

Although this decision relates to the pre-GDPR regime in the UK, following a number of high-profile data breaches and regulatory response, it is clear that the sensitivity and importance of personal data is at the forefront of public consciousness. Fundamentally, the decision will now require businesses to understand that their products, services, processes and policies need to be structured in a manner that puts data protection at the core. Legal and compliance functions should focus on reducing their privacy risk in order to avoid the “Armageddon or doomsday” scenarios referred to by the court of appeal.

Although the Irish legislative framework is different to the UK, businesses and enterprises should account for the possibility that the Irish courts could be guided by the Morrisons decision. As previously reported by William Fry, while Ireland has yet to allow US-style class actions, Article 80 of the GDPR does provide for a claims consolidation mechanism, which could be utilised in future privacy cases.

In the meantime, while Morrisons looks set to appeal to the supreme court, the decision of the court of appeal is likely to be foremost in considerations of privacy compliance heading in to 2019.

By John Magee, Paul Convery and Catherine O’Flynn, with Alex Towers contributing

John Magee is a partner in William Fry’s Technology Department, which includes solicitor Alex Towers. Paul Convery is a partner in the firm’s Litigation & Dispute Resolution Department, while Catherine O’Flynn is head of William Fry’s Employment & Benefits Department.

A version of this article originally appeared on the William Fry blog.

Morrisons store in Brighton. Image: chrisdorney/Depositphotos