Today the Supreme Court handed down its decision in Wm Morrisons Supermarkets Plc v Various Claimants  UKSC 12, bringing to its conclusion a case which had the potential to alter significantly the data protection and cyber security litigation and class action landscape.
The headline news is that Morrisons has been found not to be vicariously liable for the actions of a rogue employee in leaking employee data to a publicly available file-sharing website.
The judgment will likely result in a collective sigh of relief for organisations who have been watching closely to track their potential liability for data breach class actions. However, it is important to note that the Morrisons case and judgment is very fact specific; it does not close the door on data breach class action compensation as a whole. Boardrooms should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.
From a class actions perspective, it’s clear that data breach class actions are on the rise in the UK and today’s judgment should be seen as a setback not a roadblock. Funders and claimant firms are looking to build class actions in relation to data breaches even where there is no specific evidence of individual damage. They are seeking damages for the whole class for “distress” or a standardised claim of loss of access to data and even a nominal damages award per claimant could lead to a significant amount over a class of tens or hundreds of thousands.
Today’s judgment will not reverse that trend, but it will at least mean that companies who are themselves victims of data breaches by employees will not also face such claims on this basis alone.
For more information on the decision, see this post on our Data Notes blog.