In the first UK group action case involving a data breach, the High Court has found an employer liable for actions by an employee who had leaked employee data in order to damage the employer. The decision is a worrying one for businesses, as the employer here was found not to be at fault itself in the way it handled its data.

The case involved an internal auditor at the supermarket chain Morrisons. He reportedly had a grudge against Morrisons and, in an attempt to damage the business, leaked employee information online and to various newspapers. The information involved the payroll data of around 100,000 employees. Around 5,500 of them brought a class action case against Morrisons, claiming it was vicariously liable for the actions of its employee. They sought compensation under the Data Protection Act 1998 and the torts of misuse of private information and breach of confidence.

The judge found that, although Morrisons was not itself legally at fault, it could be vicariously liable for the employee’s illegal acts because there was a sufficiently close connection between the employee’s acts and his employment – even though those acts were deliberately aimed at damaging Morrisons. The judge commented: “The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of [the employee] were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.”

The court granted Morrisons the right to appeal, and there will be no decision on the amount of any compensation until the appeal is heard. All businesses should keep a close eye on how this case unfolds. The High Court decision is here.