Many readers will already have heard about the Court of Appeal decision in Morrisons v Various Claimants1 confirming that employers can be vicariously liable for data breaches by dishonest and malicious employees – even where the employer has taken appropriate measures to comply with its data protection obligations.
In outline, a disgruntled employee exploited his access to Morrisons' payroll data (including address, salary, national insurance and bank account details) and posted the data online. Morrisons' security measures, and its response to the data breach, were exemplary. It is notable that the Information Commissioners Office decided that no enforcement action was appropriate.
However, over 5,000 affected employees commenced group litigation proceedings against Morrisons. At first instance, Langstaff J held that Morrisons was not directly liable for the breach because it had adequate data protection measures in place. However, Langstaff J also held that Morrisons was vicariously liable for the actions of its employee. The Court of Appeal confirmed that decision, holding that the Data Protection Act did not exclude the vicarious liability of an employer for misuse of private information, and that the actions of the employee formed part of the "seamless and continuous sequence" of events, such that Morrisons was vicariously liable.
This decision is only likely to fuel the growth of litigation relating to data protection obligations, including data breaches, that has developed in light of the GDPR.
The immediate practical point that emerges from the Court of Appeal judgment is to check the terms of your insurance and related procedures. The Court of Appeal recognised the potential for "a large number of claims … for potentially ruinous amounts" following large scale data breaches. It identified "the ability to insure against such catastrophes [including] losses caused by dishonest or malicious employees" as the solution.
It will be interesting to see how the insurance market responds. In the meantime, we recommend checking whether your insurance covers data breaches, including as a result of the actions of employees. Do you have a procedure in place to comply with any notification obligations under the insurance policy (which are often strict)? Does your communications protocol control the making of statements or admissions following a data breach which might potentially compromise a claim under the insurance policy? Given the Court of Appeal judgment, these points assume even more importance.
For further information please contact the authors below or your usual Ashurst contact.
1. WM Morrisions Supermarkets plc v Various Claimants [2018] EWCA Civ 2339
