In Various Claimants v WM Morrisons Supermarket plc [2017] EWHC 3113 (QB) the issue for the court was whether Morrisons as a data controller was liable either directly or vicariously for the actions of an employee (Mr Skelton) who had a grudge against them and who used his access to the payroll data of almost 100,000 employees, to steal that data and publish it online. The claim is the first ever class action concerning a data protection breach to be heard by the UK courts and is of crucial importance to all data controllers, not least given the potentially huge financial implications.

Following a close analysis of the sequence of events and of the protections that Morrisons had in place in relation to its payroll data the court rejected the claim that Morrisons was directly responsible for the disclosure of its employee data. However, despite having largely found that Morrisons’ processes and procedures were sufficient, the court nevertheless held that it was vicariously liable for its employee’s criminal acts following a recent line of authorities on vicarious liability (Mohamud v WM Morrison Supermarkets plc [2016] and others). There was a sufficiently close connection between Mr Skelton’s role in his job and the circumstances of the breach for Mr Skelton to be treated as acting in the course of his employment. In reaching that conclusion the judgment is the first to find that there can be vicarious liability for a data breach involving an employee’s theft of data.

For detailed consideration of what led to the data breach; Morrisons’ defence to the claim and the court’s treatment of the claims of those whose details were released see here for Tim Smith’s analysis of the dispute. There Tim also provides comment on the impact of the decision for a business where an employee’s actions has led to a data breach; the importance of adequate insurance cover and what conclusions can be drawn from the judgment in relation to the risk management challenges businesses face. Moving forward we will keep developments under close review, the trial was of liability only so quantum is still to be addressed and permission to appeal has been granted in relation to the conclusion reached on vicarious liability.