The first successful class action over a data breach has been upheld by the Court of Appeal and could be the start of a wave of such claims, lawyers have said.
Supermarket giant Morrisons was found vicariously liable to 5,518 current and former employees for the actions of a disgruntled member of staff.
Andrew Skelton posted their bank account details, dates of birth, National Insurance numbers, addresses and telephone numbers on the internet, along with those of nearly 100,000 other employees.
This was in breach of the Data Protection Act 1998 and of that employee’s obligation of confidence, despite Mr Justice Langstaff finding that Morrisons did not directly misuse or authorise or carelessly permit the misuse of any personal information, and that Skelton’s intention was to cause damage to Morrisons itself.
Skelton was jailed for eight years for his actions.
Langstaff J appeared to grant permission to appeal because he was troubled that his ruling might seem to render the court an accessory in furthering Skelton’s criminal aims.
In a joint ruling, the Master of the Rolls, Sir Terence Etherton, Lord Justice Bean and Lord Justice Flaux said it has long been “clearly established” that an employer may be vicariously liable for deliberate wrongdoing by an employee.
“We do not accept that there is an exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer,” they said.
The appeal court was unconvinced by the argument that a finding of vicarious liability would place an “enormous” burden on Morrisons and potentially on other innocent employers in future cases.
It said: “There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment.
“These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees.”
The Court of Appeal has refused Morrisons permission to appeal to the Supreme Court.
The claimants’ solicitor, Nick McAleenan, a partner at Manchester firm JMW Solicitors, said: “These shop and factory workers have held one of the UK’s biggest organisations to account and won – and convincingly so. This latest judgment provides reassurance to the many millions of people in this country whose own data is held by their employer.
“The judgment is a wakeup call for business. People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims.
“It’s important to remember that data protection is not solely about protecting information – it’s about protecting people”.
They were represented by Jonathan Barnes and Victoria Jolliffe of 5RB chambers.
A briefing issued by City firm Herbert Smith said the case highlighted the wide reach of data protection.
“The decision will also concern employers who can now be vicariously liable for the actions taken by a rogue employee even with appropriate safeguards in place to protect employee personal data.
“In addition to civil liability, organisations may suffer further damage as a result of negative publicity and impact on share price.
“The fear for organisations will now be that this decision, combined with the legislative changes made by the GDPR, increased public awareness of data protection issues, and the publicity that the case has attracted, could spark a new wave of court cases from workers and customers in the event of a data breach.
“Whilst individuals may not themselves be entitled to significant sums, if the data breach affects large numbers of individuals, the total potential liability for organisations could become commensurately large.”
The briefing questioned whether insurance would prove an effective tool to offset the increased risks that organisations now faced.
“Importantly, the case also related to data breaches which occurred prior to 25 May 2018 (ie prior to the implementation of the GDPR).
“In the post-GDPR world where there is an express right for individuals to be compensated for non-material damage (ie distress), it could become even easier to bring such actions.
“With multiple data breaches having hit the headlines since 25 May 2018 (including the Conservative Party conference, Butlin’s, British Airways, Dixons Carphone, Facebook and Google+), it will be interesting to see the impact of this decision on future individual compensation claims and whether or not this case opens the floodgates for data breach class action claims in the UK.”