What the Morrison’s case tells us about data breach liability

Share This Post

This week the supermarket Morrisons lost its case at the Court of Appeal over the 2017 judgement that it has “vicarious liability” over a data breach in 2014.

The data breach was caused by a disgruntled employee who leaked employee’s payroll information on the internet back in 2014. The employee in question is now serving a prison sentence and whilst Morrisons were able to demonstrate they were not the cause of the breach (i.e. they had appropriate security in place, etc.), in December 2017 they were found to have responsibility to their employees for the breach (even though it wasn’t their fault).

The court found in favour of the employees and declared that Morrisons would have to pay damages to the employees affected. Morrisons said at the time they planned to appeal the case, which is what happened this week, but the Court of Appeal found again in favour of the claimants and against Morrisons. Morrisons say they will take the case further to the Supreme Court. In a statement, Morrisons said:

A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.

Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.

We believe we should not be held responsible, so that’s why we will now appeal to the Supreme Court.

When businesses think about data breaches from a GDPR and data protection perspective the focus is usually on addressing the requirements set out in the GDPR around whether the breach is reportable to both the regulator (the ICO in the UK) and the data subjects themselves, with an underlying worry about what the consequences (from a fine, legal remedy perspective) might be particularly if the regulator is involved.

Of course along with fines, one of the remedies available to the data subjects is to seek compensation for damages caused by the breach. The intention here in the law though is about data subjects suing for damages due to a data controller’s direct breach of data protection rules. In the Morrison’s case though, Morrisons weren’t to blame directly – it was the employee’s fault, not Morrisons’.

The Morrisons case is the first of its kind in the UK. What it tells us though is three things:

  1. you might have the tightest data security within your organisation but, as is often the case with cyber-security, you can’t protect against the independent actions of your employees – no amount of data protection compliance is going to prevent a rogue employee acting in their own interest
  2. you’ll need to consider what other options or contingencies exist to protect your business from such claims – maybe insurance is the answer
  3. if Morrisons’ case fails in the Supreme Court, the flood gates may open for further class actions

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy