The employee, a payroll auditor, held a grudge against Morrisons following an earlier disciplinary issue, and decided to take revenge by stealing close to 100,000 colleagues’ payroll details and offering them for sale on the Dark Web. He was caught and subsequently prosecuted. Although Morrisons invested significant resources in trying to put right the situation, over 5,000 members of staff subsequently commenced group litigation against the supermarket.

The Court of Appeal confirmed that even though Morrisons itself was not directly responsible for the breach, it was vicariously liable for the malicious actions of its rogue employee, following the Court’s approach in Mohamud v WM Morrison Supermarkets Plc, by looking at:

  1. what functions or “field of activities” have been entrusted to the employee (here, the employee was responsible for handling payroll information); and
  2. whether there was “sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice.” The Court concluded it was right for this to occur.

We understand Morrisons may look to appeal to the Supreme Court.

What to take away

The case is the first major application to data protection of principles well-established in other torts – for instance, responsibility for sexual abuse or violence committed by staff (bizarrely, the current leading case on vicarious liability, Mohamud, also involved the supermarket chain, where they were held responsible after a member of staff seriously assaulted a customer at a petrol station). The difficulty for organisations is that the potential number of claimants arising from a single data protection incident is often going to be much higher than those arising from a fight in a car-park. Furthermore, the amount of damages which claimants are routinely seeking for data protection related claims is increasing.

The Court of Appeal suggested that insurance could be part of the solution. However, care needs to be taken to ensure that any cover is appropriate – for instance in terms of the scope of cover and excess arrangements.

Other steps an employer could take involve the careful vetting of staff, minimising the number of opportunities for an incident to arise in the first place (for instance, restrictions on emailing or downloading data), as well as monitoring activities – but this also needs to be undertaken carefully.

How can Capsticks help?

Our team of information law experts are well versed in data protection claims and incident management. We also frequently advise organisations on putting in place appropriate data-processing arrangements in the first instance.

For more information please speak to Andrew Latham, Peter Marquand, Ian Cooper or Tracey Lucas.