A recent landmark UK High Court decision found the supermarket chain Morrisons vicariously liable for the actions of a disgruntled employee who published the payroll information of nearly 100,000 employees on the internet in 2014. This decision, coupled with the fact the General Data Protection Regulation ("GDPR") will provide a right to compensation for non-material damage, has prompted organisations everywhere to consider what they need to do to mitigate against the risk of such claims.

Background

A Morrisons' senior internal auditor posted staff salaries, bank details and National Insurance numbers on a file sharing website, as well as sending the data to a number of newspapers. He was subsequently sentenced to 8 years in prison.

Following this 'data breach', Morrisons offered identity theft protection to those affected and compensation to those who suffered fraud. Nearly 6,000 current and former Morrisons employees began a class action and argued that the breach exposed them to the risk of identity theft and potential financial loss. In the UK, the Vidal Hall decision in 2014 established that compensation for non-material loss (i.e. distress and suffering) could be payable arising from a breach of data protection rules, even if no financial loss occurred.

Decision

Various Claimants v WM Morrison Ltd concerned whether Morrisons could be held either directly or vicariously liable for the criminal misuse of its payroll data affected by a rogue employee.

The Court concluded that Morrisons was not directly liable as it had not breached its obligations under the Data Protection Act 1998 ("DPA"), save in one respect which was not causally relevant to the employee’s misuse of the data. The DPA requires organisations to have adequate security measures (i.e. security) in place to prevent the unauthorised or unlawful processing of data – the Court held that Morrisons did have adequate protections in place which were proportionate to the risks involved.

However, the Court held that Morrisons was vicariously liable for the breach on the basis that the employee was ‘acting in the course of his employment’ when he disclosed the data. The Court considered whether the employee's actions were "sufficiently closely connected" with his role at Morrisons. It found that although his criminal venture was designed and intended to damage Morrisons, he did not take these actions outside the scope of his employment. Rather than merely granting him 'access rights', Morrisons had entrusted him with the data. The issue of quantum, or how much compensation was payable, was held over pending determination of liability, a determination that looks certain to be appealed.

Unusually, the Court granted leave to Morrisons to appeal the decision. This was because it recognised the uneasy juxtaposition of Morrisons being liable to the employees, with the rogue employee's action being intended to damage Morrisons, with same Morrisons being liable to the employees.

Comment

To date in Ireland, there are no recorded cases of compensation for non-material loss being awarded by a court. In Collins v FBD, the High Court held that a claimant must establish that there has been material loss or damage and that it was caused by a breach of the Data Protection Acts.

Even if the Morrisons decision were to be overturned on appeal, post-GDPR, organisations in Ireland can be directly liable to pay compensation for material and non-material loss arising from a breaching data protection rules. The GDPR's mandatory reporting obligations (to regulators and data subjects) mean there will be more notifications of personal data breaches and greater publicity. Law firms will exploit the opportunities arising from mass data breaches and advocacy and consumer groups could all be instrumental in orchestrating claims.

This means that even relatively small claims for distress will amount to a substantial sum if there are thousands or tens of thousands of claims. In the UK, the main case on distress / non-material damage and the compensation arising from it is TLT v the Home Office [2016] EWHC 2217 (QB). The court awarded compensation of between £2,500 to £12,500 to each claimant for distress.

To highlight the changes the new regime will have, we canvassed data protection and privacy experts across Europe to predict how the liability and sanctions landscape will change, we are launching a report in the New Year, 'Personal Data: the new oil and its toxic legacy under the General Data Protection Regulation'. There will be an event in the Spring and further details will follow.