In the first ever group litigation for a data breach to come before the courts, the High Court has found WM Morrison Supermarkets PLC ("Morrisons") vicariously liable for the 2014 leak of almost 100,000 employees' details by a disgruntled ex-employee, Andrew Skelton.

The 2014 leak

In summary, the details of the 2014 leak are as follows:

  • Andrew Skelton, a former internal auditor for Morrisons, leaked payroll data which included National Insurance numbers, dates of birth, addresses, bank account details and salaries of Morrisons' employees.
  • The data leaked was posted online and sent to various newspapers and websites.
  • The Crown Court, during his 2015 trial, heard that Andrew Skelton's actions stemmed from a grudge he held against Morrisons after he received a warning for using the company's post room to sell items on eBay.
  • When Morrisons was notified about the data breach, the company acted quickly and the leaked information was taken down within 24 hours.
  • Following the 2015 trial, Andrew Skelton was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.
  • Morrisons was awarded £170,000 in compensation as a result of the data breach and Andrew Skelton has been jailed for eight years.

The claim against Morrisons

The claim against Morrisons was brought by over 5,000 current and former employees. They claimed that the data leak exposed them to potential identity theft and other financial loss and sought compensation for the distress and loss caused. Morrisons denied liability, arguing that the company was not liable either directly or indirectly for Andrew Skelton's criminal misuse of the data and that it had already suffered serious damage as it incurred £2m costs as a result of the data breach.

There were essentially two questions before the court:

  1. Was Morrisons directly liable for the breach under the Data Protection Act 1998 or at common law?; or
  2. Should Morrisons be vicariously liable for its ex-employee's actions?

The judge cleared Morrisons of primary liability and ruled that it had not breached data protection principles. He said "Morrisons have not been proved to be at fault by breaking any of the data protection principles, and neither primary liability for misuse of private information nor breach of confidentiality can be established."

However, despite not being directly liable for the breach, Morrisons was held vicariously liable for Andrew Skelton's actions under the extended concept of acting in the course of employment.

The judge has granted Morrisons permission to appeal his decision to the Court of Appeal.

Likely implications

The outcome of this landmark case could, if Morrisons are unsuccessful on appeal, have significant implications for UK organisations. Whilst the judge did not feel that this will open the floodgates for group actions in the event of a data breach, the prospect of vicarious liability for data breaches will create concern for all organisations that process personal data.

This is especially the case given the recent increase in the frequency and scale of data breaches. Equifax's admission that 15.2 million of their UK client records were compromised, including sensitive information of 693,665 UK customers, and Uber's admission that 2.7 million UK users of its app were affected by a mass data breach in 2016 are prime examples of where there could be an increase in group litigation in this area.

The General Data Protection Regulation

The General Data Protection Regulation ("GDPR"), which becomes effective on 25 May 2018, will have a significant impact on organisations in respect of their data security practices. The GDPR imposes stricter obligations on both data controllers and, for the first time, data processors with regard to data security and breach notifications.

The GDPR introduces mandatory 'privacy by design' obligations whereby organisations are required to adopt and implement relevant measures to embed privacy and data protection compliance into their data processing activities from the outset. Privacy by design measures encouraged by the GDPR are pseudonymisation and encryption, which is effectively the processing of personal data in such a way that the data cannot be attributed to an individual without the use of additional information kept separately and securely or a key.

Whilst this may be seen by organisations as a regulatory burden and operational cost, ensuring compliance with these measures could be immensely beneficial to organisations in the event of a data leak. If individuals cannot be identified this will significantly reduce the chance of a claim against the organisation (and therefore reduce the risks of having to pay compensation) and the regulator (who will have the power under GDPR to fine organisations the higher of €20m or 4% of annual group global turnover) is likely to look more favourably upon companies whose data breaches only affect pseudonymised / encrypted data.

The Morrisons judgment, combined with the impending GDPR, should put data protection and cyber security at the forefront of organisations' priorities and risk management strategies. If organisations cannot demonstrate that they have GDPR-compliant technical and organisational measures in place to prevent data breaches, they may be liable to GDPR-level fines combined with compensation claims for direct and/or vicarious liability.