The harsh outcome for corporate victims of data breach was writ large by a decision of the High Court on Friday (1 December).
In Various Claimants v Wm Morrisons plc  EWHC 3113 (QB) Mr Justice Langstaff found that the defendant supermarket was liable to 5,518 of its own employees who had sued over their personal details being unlawfully posted online.
In what is the UK’s first US-style class action for data breach, the decision ultimately rested not on data protections laws but on the well-established principle of vicarious liability for the actions of employees, even where they are not sanctioned – and indeed forbidden – by the company.
The personal data, including names, addresses, phone numbers, bank details and salary details of the employees were posted on a file sharing website and sent to newspapers after senior IT auditor Andrew Skelton copied the data (which he had been entrusted with as part of his work) and leaked it, seemingly with the intention of causing harm to Morrisons.
Skelton, who was convicted in separate proceedings under s.55 of the Data Protection Act 1998 (DPA) and sentenced to eight years in prison, had a grudge against his employer after he had been subject to disciplinary proceedings.
The Court heard that the data breach had already cost more than £2million in costs for Morrisons in dealing with the aftermath of the breach.
Mr Justice Langstaff, in finding that Morrisons had not itself breached the DPA, said: “The technological and organisational measures current in 2013 and 2014 [when the breach occurred]… could not altogether prevent the risk posed by a rogue employee who was trusted and had given no real reason to doubt his trustworthiness.”
The Court looked in very considerable detail at the precise measures that the business had in place to protect the data, such as encryption, its handling and transfer and the supervision of employees and their access to data. These are plainly all prudent precautionary measures that companies should review regularly.
Reputation and Data Litigation partner Jo Sanders said: “If there is any silver lining to this decision for businesses, it is that where a company has taken appropriate IT security measures but still falls foul to a data breach which does not involve an employee, then it is unlikely to be held liable for the consequences of that data loss.
“The judge ruled out a so-called ‘strict liability’ view of data protection law. That means that a business entrusted to look after personal information (known as a ‘data controller’) is not to be held responsible without any fault of its own for subsequent leak of that information by a third party. The case does emphasise the overwhelming importance of information security, but here Morrisons was found generally to have provided adequate and appropriate controls.
“Although this case is being seen as the first data protection class action, Morrisons has lost on the very old employment law principle of vicarious liability. This has a very harsh effect for any business which falls victim to a crime perpetrated by a rogue employee, yet can still be held to blame.”
The amount of damages payable to the claimants is yet to be decided. It is also worth noting that the Judge has given Morrisons permission to appeal the vicarious liability finding, and it has indicated it will do so, so this will not be the last word.