Employer held liable for Employee’s deliberate data breach

In a momentous decision, the UK’s first data leak group action, the Court of Appeal has upheld a High Court ruling that supermarket chain WM Morrison Supermarkets PLC [‘’Morrisons’’] is liable for the actions of their former Employee with the Employee deliberately leaking data of past and present employees of Morrisons. Various Claimants v Wm Morrisons Supermarket PLC [2018] EWHC 1123 (QB)

The Employee concerned was a Senior IT Auditor with the Employer Morrisons. The Employee received a verbal warning in 2013 for a matter not related to the present case. The Employee did not agree with the level of sanction he had received and intended to take revenge on the Employer. An audit was carried out at the end of 2013 of the Employer’s payroll data. The Employee concerned did not normally have access to payroll data but in order to facilitate the audit work, the IT internal audit team was tasked with responsibility for collating all the data requested, which was assigned to the Employee. The Employee extracted the payroll data and transferred the data to his laptop. The Employee provided the payroll data requested whilst keeping his own copy.

In Early 2014, a file containing personal details of nearly 100,000 Morrison employees was posted on a file sharing website by the Employee concerned. Shortly afterwards, links to the website were placed elsewhere on the web. The data consisted of personal data (e.g. names, addresses, dates of birth, salaries, bank details etc.). In March 2014, a CD containing a copy of the data was received by various newspapers in the UK. The newspapers did not publish the data and the Employer was informed of the data breach. Within a few hours The Employer had taken steps to ensure the website had been taken down. The Employer also alerted the police.

In March 2014, The Employee responsible for the data breach was arrested and later sentenced to 8 years in prison for fraud, gaining unauthorised access to computer material and disclosing personal data. At The Employee’s criminal trial, there was no doubt that it was the previous verbal warning that caused the Employee to deliberately leak data of past and present employees.

As a result of the Employee’s deliberate leaking of employee data, 5,518 Morrison employees’, whose data was leaked , brought claims in the High Court for compensation under the DPA [The 1998 DPA Act, which was in force at the time] , under common law for the misuse of private information and in equity for breach of confidence. The employees’ brought the claims on the basis that the Employer had primary liability for its own acts and omissions, and vicarious liability for the actions of the Employee who harmed his fellow workers.

The High Court upheld the Employees’ claims against the Employer and ordered that the Employer was vicariously liable in damages to the 5,518 Employees/ former Employees of the Employer for the disclosure of their personal information by the former Employee. The Employer appealed the High Court decision as to whether the Judge was correct to hold the Employer vicariously liable to the Claimant Employees for the actions of their former Employee. The Court of Appeal heard the Employer’s appeal against the High Court decision and rejected the Employer’s appeal, holding that the Employer was vicariously liable for the Employee’s deliberate data breach on the basis that the Employee was at the time acting in the course of his employment and the fact the Employee’s actions were malicious did not matter. The Employer has indicated intending to appeal to the Supreme Court as they stated they were not aware any of the Claimant Employees’ suffered financial loss as a result of the data breach.

This case highlights how important it is for Employers to ensure they have robust data protection measures in place to prevent this kind of incident taking place. As mentioned, this case related to a breach under the old data protection rules, where compensation was much more limited. With the new increased levels of compensation imposed since May 2018 under the new Data Protection Regulations [GDPR], this could create a very substantial liability for Employers but Employers can try to reduce exposure and shift the risk to third-party insurers, ensuring such events are covered under the insurance and by monitoring staff handling of personal data.