The Court of Appeal has today dismissed an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants  EWCA Civ 2339.
This case highlights the wide reach of data protection. An organisation can be liable for data breaches even if it has taken appropriate measures to comply with the data protection legislation itself, and even if it is the intended victim of the breach. In this respect, the decision will also concern employers who can now be vicariously liable for the actions taken by a rogue employee even with appropriate safeguards in place to protect employee personal data. In addition to civil liability, organisations may suffer further damage as a result of negative publicity and impact on share price.
The fear for organisations will now be that this decision, combined with the legislative changes made by the GDPR, increased public awareness of data protection issues, and the publicity that the case has attracted, could spark a new wave of court cases from workers and customers in the event of a data breach. Whilst individuals may not themselves be entitled to significant sums, if the data breach affects large numbers of individuals, the total potential liability for organisations could become commensurately large. In this regard, it will be interesting to see how the court approaches the issue of quantum in the case against Morrisons.
The Court of Appeal suggested that insurance could be the answer to “Doomsday or Armageddon arguments” about the effect of its decision. However, it remains to be seen whether this will be an effective tool that can be used to offset the increased risks that organisations now face.
Importantly, the case also related to data breaches which occurred prior to 25 May 2018 (ie prior to the implementation of the GDPR). In the post-GDPR world where there is an express right for individuals to be compensated for non-material damage (ie distress), it could become even easier to bring such actions. With multiple data breaches having hit the headlines since 25 May 2018 (including the Conservative Party Conference, Butlin’s, British Airways, Dixons Carphone, Facebook and Google+), it will be interesting to see the impact of this decision on future individual compensation claims and whether or not this case opens the floodgates for data breach class action claims in the UK.
For more information see our data protection update on the decision.