Last week the High Court ruled Morrisons to be vicariously liable for a leak of its employees' data, in the first US-style class action in the UK involving a personal data breach.
The data breach, which happened in 2015, was caused by a senior employee of Morrisons, Peter Skelton. Having a grievance against his employer, Skelton used his position to steal personal data, (including names, addresses, dates of birth, bank account details, salaries and national insurance numbers) of nearly 100,000 of his colleagues. He subsequently published the information on the internet and sent it to a number of newspapers. He was found guilty of fraud in 2015, and was sentenced to eight years in prison.
Morrisons acted quickly following the breach to get the data taken down, and spent a considerable sum of money to provide protection for the affected employees. In fact the judge in the case, Langstaff J, agreed that Morrisons was not necessarily at fault in the way it protected the personal data of its employees. However, he did find that the law held Morrisons responsible for the actions of Skelton, on the basis the company deliberately entrusted him with access to confidential information (including the leaked payroll data) on a daily basis, and took the risk that they might be wrong in placing trust in him.
Langstaff J said in his ruling "There is a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable 'under the principle of social justice which can be traced back to Holt CJ'. This conclusion would be the same irrespective of whether a breach of duty under the DPA, a misuse of private information, or a breach of the duty of confidence was concerned, for the essential actions constituting a legal wrong in each case were the same."
The High Court trial focused only on establishing liability, and Morrisons has already confirmed that it intends to appeal the decision. If the appeal is unsuccessful, a second trial will determine what Morrisons will have to pay in damages. The claimants' lawyers expect that each individual could receive thousands of pounds in compensation.
The case has potential implications for every organisation in the country which collects and processes personal data about individuals. The ruling strengthens the position that individuals affected by a data breach may claim compensation for the "upset and distress" caused. In fact, the right for individuals to claim compensation for material and non-material damage (even where little or no financial loss has occurred) is specifically written into the new EU General Data Protection Regulation (GDPR) which will come into force from 25 May 2018.
The landmark ruling in Morrisons means that we should expect to see more US style class actions against companies following data breaches. Only last week it was reported that Google faces a US style class action by a group calling itself "You owe us Google" who may ultimately act on behalf of up to five million iPhone users alleging that Google bypassed privacy settings to unlawfully collect and use their personal information.
Going forward, organisations which collect and use personal data about individuals should:
- ensure they take data protection seriously, particularly in the light of the forthcoming GDPR which attracts fines of up to 20million (EURO) (or 4% global turnover), whichever is the higher, as well as compensation claims under individual and class actions. Those have not yet started their GDPR readiness programme should do so as soon as possible (and we can help with this);
- consider limiting employees' access to personal data about employees, customers and other individuals - particularly where this data is sensitive or involves financial information, or there are concerns about individuals' trustworthiness or are in disciplinary proceedings or similar;
- ensure they have in place a robust data breach response plan in place to deal with the consequences of a data breach quickly, and limit any financial damage or distress of individuals concerned; and
- review insurance policies to ensure they will cover liability under any class or collective action, including claims for emotional harm such as distress or hurt feelings.