Morrisons fails in data breach liability appeal
The decision reinforces the principle that employers will have legal responsibility - and liability - for the acts of rogue employees
Supermarket giant Morrisons today failed in its bid at the Court of Appeal to overturn an earlier ruling relating to a data breach when a former employee leaked personal information about 100,000 members of staff.
Antonis Patrikios, Head of Cybersecurity, Fieldfisher: "The Court of Appeal has confirmed that the risk of exposure to civil claims for data breaches is real. In the UK and the EU, this is a new area of risk for most organisations. The new law on data protection, the EU GDPR and the UK Data Protection Act 2018, now make it easier for individuals to bring claims. At the same time, the data protection awareness of individuals has increased and some lawyers are now quick to try to bring together group actions in the aftermath of serious security incidents that break in the public domain.
"We've known for a long time that good operational security and incident response preparedness are the essential elements of protecting an organisation's systems and data, and mitigating the legal and reputational risk following a serious cyber or other data security incident. It now seems that, increasingly, the third element of such protection is to understand the organisation's exposure to the risk of disputes and litigation, including group claims, and prepare for it."
James Seadon, partner and lead lawyer for data disputes, Fieldfisher: "The Court of Appeal has confirmed that Morrisons should be held liable for the acts of its former employee, even in circumstances where he had set out to cause his employer harm and was later sentenced to 8 years in prison.
"Data controllers may have been encouraged last week by the High Court's decision in favour of Google in the "You owe us" litigation, but today's judgment is a stark reminder of the power of group actions – one of the many reasons why data litigation is a growth area. Due to the sheer numbers of prospective claimants, the contemplated damages are often enormous. The judges have emphasised that while the circumstances facing Morrisons may seem unfair, businesses can mitigate this risk with appropriate insurance. With data breaches, prevention is invariably better than cure, and here too it seems that planning ahead is the key."
David Lorimer, Senior Associate – Employment, Fieldfisher: "The Court of Appeal's decision reinforces the principle that employers will have legal responsibility - and liability - for the acts of rogue employees, even when those rogue employees are motivated by spite against the employer, and are trying to undermine it.
"Given the facts, the obvious concern for employers will remain theft or intentional leaking of personal data relating to employees, customers and other contacts by rogue employees. Obviously though employers will be equally liable for unintentional leaking of data (for example when sharing on unsecured file-sharing sites or storage devices).
"It serves as a reminder that it won't be enough to put technological solutions in place - for example download restrictions on data hosted on HR platforms. Morrison's had relatively comprehensive security measures in place.
"In addition, employers in all sectors need to take a wide ranging approach focussing on vetting of staff, putting in place rules and policies around dealing with data and rolling out practical and comprehensive training programmes."