Data Breaches – Various Claimants v WM Morrisons Supermarket
The Court of Appeal has upheld a ruling that an employer is vicariously liable for the actions of a rogue employee who caused the personal information of 100,000 employees to be posted onto the internet. Following disciplinary action, the employee released the personal payroll data of tens of thousands of employees onto a file sharing website. The employee was arrested, charged and convicted with fraud under the Computer Misuse Act 1995 and under Section 55 of the Data Protection Act 1988.
A large number of Morrisons’ employees brought a group civil claim against Morrisons for compensation, arguing that it had failed to safeguard their personal data.
The Court of Appeal upheld the High Court ruling that there was a sufficient connection with the employee’s duties and his wrongdoing for the employer to be vicariously liable. This was a case brought under the Data Protection Act 1988. Given the widescale data breach, post-May 2018, Morrisons could have been exposed to a significant fine of up to 4% of turnover as well as a claim for significant damages.
The case highlights that increasingly employees are aware of their right to take action in relation to personal data breaches and that employers still need to be taking steps to ensure compliance with their obligations under GDPR.