Court of Appeal confirms Morrisons vicariously liable for employee’s deliberate actions in first successful UK class action for data breach

The Court of Appeal has today dismissed an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 (click here for the Court of Appeal’s full judgement and click here for our summary of the High Court decision).

Summary implications for businesses

This case highlights the wide reach of data protection. An organisation can be liable for data breaches even if it has taken appropriate measures to comply with the data protection legislation itself, and even if it is the intended victim of the breach. In this respect, the decision will also concern employers who can now be vicariously liable for the actions taken by a rogue employee even with appropriate safeguards in place to protect employee personal data. In addition to civil liability, organisations may suffer further damage as a result of negative publicity and impact on share price.

The fear for organisations will now be that this decision, combined with the legislative changes made by the EU General Data Protection Legislation (“GDPR“), increased public awareness of data protection issues, and the publicity that the case has attracted, could spark a new wave of court cases from workers and customers in the event of a data breach. Whilst individuals may not themselves be entitled to significant sums, if the data breach affects large numbers of individuals, the total potential liability for organisations could become commensurately large. In this regard, it will be interesting to see how the court approaches the issue of quantum in the case against Morrisons.

The Court of Appeal suggested that insurance could be the answer to “Doomsday or Armageddon arguments” about the effect of its decision. Cyber insurance typically covers claims for breaches of confidential information; and in some circumstances coverage may also be found in other classes of liability insurance. However, at this stage the UK cyber insurance market remains in its infancy and claims experience is limited. It therefore remains to be seen how the market will react to this enhanced exposure and whether insurance will be an effective tool to offset the increased risks that organisations now face.

Importantly, this case related to data breaches which occurred prior to 25 May 2018 (i.e. prior to the implementation of the GDPR). In the post-GDPR world where there is an express right for individuals to be compensated for non-material damage (i.e. distress) it could become even easier to bring such actions, particularly where there have been findings of non-compliance by the Information Comissioner’s Office (“ICO“) (the UK’s data protection regulator). With multiple data breaches having hit the headlines since 25 May 2018 (including the Conservative Party Conference, Butlin’s, British Airways, Dixons Carphone, Facebook and Google+), it will be interesting to see the impact of this decision on future individual compensation claims and whether or not this case opens the floodgates for data breach class action claims in the UK. Continue reading