Morrisons loses data breach challenge
Supermarket Morrisons has lost its appeal following a breach at the company which resulted in thousands of its employees' details being posted online. The case is the first data leak group action in the UK.
In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. However, Morrisons went on to challenge this decision.
The employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.
Today, the Court of Appeal upheld the original decision against the supermarket with three judges saying they agreed with the High Court's earlier decision.
Why is this case so important?
In 2015 - in the first group litigation of its kind in the UK - over 5,000 people brought a claim against Morrisons under the Data Protection Act 1988, for misuse of private information and breach of confidence.
In December 2017, despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was liable for its omissions such as not ensuring the proper security measures to protect the data.
The judge in the original case also ruled that Morrisons was "vicariously liable" for the employee's actions. In a workplace context, an employer can be vicarious liability for the actions of its employees, as long as it can be shown that they took place in the course of their employment.
The decision to hold Morrisons vicariously liable is important, as it gives victims more opportunities to seek compensation (companies are more likely to be insured against such liability than employees).
The case also paved the way for those affected by data breaches to claim damages for distress, even if they have not suffered any financial loss.
Morrisons has now said that it will now appeal to the Supreme Court. If that appeal fails, those affected will be able to claim compensation for "upset and distress".
The latest decision is good news for people who want to hold businesses to account for a failure to protect personal and sensitive data.
The judgement has been referred to as a "wake-up call for businesses" and Morrisons could now face a hefty compensation bill.