UK Supermarket chain Morrisons has lost in the Court of Appeal with the Court unanimously affirming the High Court decision that the business is liable for a data privacy breach which saw 99,998 of its employees’ details shared online, including personal financial details.
Whilst none of the employees suffered financial losses, their claim for compensation was founded on any upset and distress caused by the breach, as they faced exposure to the risk of identity theft and potential financial loss.
The employees themselves originally brought the civil claim against the supermarket giant in late 2017. Meanwhile, begrudged employee Andrew Skelton, who was responsible for leaking the payroll data of those near 100,000 staff members at Morrisons, was convicted of fraud and sentenced to 8 years in jail by Bradford Crown Court in 2015.
In its defence Morrisons argued that it should not be liable for the misuse of its data, but the Court of Appeal noted that while not directly liable for the breach, it was vicariously liable for the torts committed by Mr Skelton against the Claimants.
Vicarious liability ensures employers are legally responsible for the acts of their staff in the course of their employment. It is expected that insurance be taken out to protect against negligent or malicious employees, and then beyond that taking reasonable steps to ensure no harm can be caused in the first place, for example ensuring the security of their data systems or monitoring staff.
The business, as a result of the Court’s decision, continues to face a significant payout to its employees. However, Morrisons is arguing that the way in which it protected the data was clearly secure as to not fall short of being fit for purpose and that it should therefore not be vicariously liable for the actions of Mr Skelton.
Morrisons now plans to appeal the decision to the Supreme Court on this point of law: whether employers can be vicariously liable for an employee’s actions even where they have taken reasonable steps to prevent any malicious or negligent behaviour.
If left to stand this decision is a blow to all UK businesses in terms of compliance with the law. To be held vicariously liable in such instances of wilfully malicious attacks on their security, on the face of it at least, appears quite unforgiving, as there may simply be very little the businesses can do to stop this beyond what might be considered reasonable. This represents a situation that goes beyond mere negligence on their part as the reason for a breach.
Considering the recent implementation of General Data Protection Regulation, it is evident that now more than ever businesses must ensure data protection a top priority. The bottom line appears to be that breaches of data held by a business, whatever their nature, will raise a strong risk of liability for the business.
However, this principle cannot be said to be without merit. People place their trust in the businesses to which they give their custom, and business transactions cannot take place without the offering of personal data, to which the party processing that data has a duty not to mishandle. Clearly there is a strict duty on businesses to ensure any and all data they maintain is near absolutelysecure.