In the first ever group litigation for a data breach to come before the courts, the High Court has found WM Morrison Supermarkets PLC ("Morrisons") vicariously liable for the 2014 leak of almost 100,000 employees' details by a disgruntled ex-employee, Andrew Skelton.
The claim against Morrisons was brought by over 5,000 current and former employees. They claimed that the data leak exposed them to potential identity theft and other financial loss and sought compensation for the distress and loss caused. Morrisons denied liability, arguing that the company was not liable either directly or indirectly for Andrew Skelton's criminal misuse of the data and that it had already suffered serious damage as it incurred £2m costs as a result of the data breach.
The judge cleared Morrisons of primary liability and ruled that it had not breached data protection principles. However, despite not being directly liable for the breach, Morrisons was held vicariously liable for Andrew Skelton's actions under the extended concept of acting in the course of employment.
The outcome of this landmark case could, if Morrisons are unsuccessful on appeal, have significant implications for UK organisations. Whilst the judge did not feel that this will open the floodgates for group actions in the event of a data breach, the prospect of vicarious liability for data breaches will create concern for all organisations that process personal data.
The General Data Protection Regulation ("GDPR"), which becomes effective on 25 May 2018, imposes stricter obligations on both data controllers and, for the first time, data processors with regard to data security and breach notifications. It introduces mandatory 'privacy by design' obligations whereby organisations are required to adopt and implement relevant measures to embed privacy and data protection compliance into their data processing activities from the outset e.g. pseudonymisation or encryption.
Ensuring compliance with these measures could be immensely beneficial to organisations in the event of a data leak. If individuals cannot be identified this will significantly reduce the chance of a claim against the organisation (and therefore reduce the risks of having to pay compensation) and the regulator (who will have the power under GDPR to fine organisations the higher of €20m or 4% of annual group global turnover) is likely to look more favourably upon companies whose data breaches only affect pseudonymised / encrypted data.
The Morrisons judgment, combined with the impending GDPR, should put data protection and cyber security at the forefront of organisations' priorities and risk management strategies. If organisations cannot demonstrate that they have GDPR-compliant technical and organisational measures in place to prevent data breaches, they may be liable to GDPR-level fines combined with compensation claims for direct and/or vicarious liability.