On 1 December 2017, in the case of , the High Court gave judgment in the first ever group litigation data breach case to come before UK courts.
The issue for the court was whether Morrisons supermarket was liable for the actions of an employee who had, as an act of malice, taken payroll data relating to some 100,000 employees and published it online. 5,500 employees of Morrisons brought claims against it for compensation.
The background to this case is that, in late 2013, an internal auditor (‘S’) employed by Morrisons started to misuse significant quantities of payroll data, information which had been provided to him by the company as part of its annual audit process. S secretly copied Morrisons’ payroll master file from his work laptop and then disclosed an edited version on an online file-sharing website. S also sent copies of the edited file to various newspapers. S was subsequently arrested and ultimately convicted in relation to his criminal misuse of the payroll data.
During the course of his trial, it emerged that S had embarked on his criminal venture for purely malicious reasons: he wanted to punish Morrisons in connection with a disciplinary process to which he had been subject earlier in 2013. Upon discovering the misuse, Morrisons immediately took action to protect the affected employees from any potential financial loss which might have resulted from the disclosures.
The court concluded that, despite itself having been entirely innocent of the misuse, Morrisons was liable to compensate all the claimants.
This judgment has enormous implications. It means that an organisation can be held liable to compensate employees (and perhaps anyone else) for loss – including non-financial loss, such as upset and distress – caused by a data breach, even when the breach was caused entirely by an employee and with no wrongdoing having been committed on the part of the organisation.
Moreover, this judgment (which grants Morrisons leave to appeal) acknowledges that the finding of liability could lead to the paradoxical result of furthering the intention of S which was to cause financial harm to his employer.
If this judgement is upheld, employers will need to come to terms with a significantly greater liability risk relating to the actions of their employees in the context of data breaches.