The UK has seen a successful collective action brought by data subjects against Morrisons, a large supermarket chain, relating to a data security incident.
The claim itself relates to the actions of a rogue Morrisons employee who developed a grievance against the organisation and resolved to damage it. He was on the internal audit team and was the conduit for passing to the external auditor various information, including payroll information which was normally located on the central Peoplesoft system and accessible only to a closed group of super-users (of which he was not one). He retained a copy of the payroll information on his laptop, made copies, and then uploaded it to a file sharing site. He also sent the data to newspapers. The disclosed data included bank account numbers, national insurance numbers and salary information. After a criminal investigation of his actions he was charged and successfully prosecuted.
Over 5000 Morrisons employees were joined to a collective action under a Group Litigation Order, and brought a claim for breach of the current UK Data Protection Act 1998 which applies pre-GDPR. The claims made were that Morrisons should be primarily liable for the unlawful processing, and also for failing to take appropriate security measures, as required under the Act. Alternatively, it was argued that Morrisons were liable on a vicarious basis for the employee's unlawful actions, as his employer.
The Court ruled that Morrisons was not primarily liable for the unlawful processing. Once the employee had himself decided to deal with the data in an unauthorised manner, he had become the data controller and Morrisons did not have primary responsibility for his actions. Morrisons were found to have breached the requirement to implement appropriate security measures in one respect only – failure to have a system in place to check whether the data had been deleted by the employee – but this failure did not cause the unlawful disclosure on the facts, so Morrisons had no liability in respect of it.
However, Morrisons were found liable on a vicarious (secondary) basis for the employee's actions, simply by virtue of their position as his employer. While this was not surprising in one sense, given historic treatment of vicarious liability under English law generally, arguments were made that allowing it in this case would effectively cut across the clear sets of duties in the Data Protection Act – if a data controller could be liable for the actions of an employee, of which it had no knowledge, and against which it had taken appropriate security measures, then this would render meaningless the limits of its Data Protection Act duties. Arguments were also made that allowing secondary liability would effectively be acting as an accessory to the employee's criminal activity – the employee's purpose was to damage Morrisons, and the court would be furthering that purpose by finding Morrisons liable for the same behaviour. The Judge rejected these arguments but felt this issue was sufficiently finely balanced that leave to appeal has been granted.
The trial did not deal with damages, which are yet to be decided. It is clear as a matter of English law even pre GDPR that damages may be awarded for non pecuniary loss (emotional suffering). Even a small award per data subject would leave Morrisons with an enormous liability.
The case is we believe the first successful collective data subject action around an information security breach in the UK. It highlights the clear security risk associated with human factors, and that information security is about much more than simply "IT" measures, but proper and well enforced organisational processes. It opens the door to further collective actions for security incidents (even pre GDPR) and causes particular concern around employee "inside jobs" where the employer may find itself liable even if it did everything right pursuant to data protection legislation. Claimant lawyers and litigation funders will doubtless be looking at this area with renewed interest in the UK.