Morrisons loses data leak appeal

Morrisons loses data leak appeal

By Lucy Scott, Senior Vice President, Global Cyber & Technology, Lockton Companies.

The Court of Appeal recently issued its judgment on whether Morrisons is liable to pay damages to its employees, after their personal information was stolen and disclosed by a disgruntled employee.

If the decision is upheld by the Supreme Court it would establish important legal precedent.

It was an appeal of a judgment made in the High Court at the end of 2017, where it was held that Morrisons is liable to pay damages to more than 5,000 employees affected by the privacy breach.

The proceedings are only concerned with establishing liability. The question of the extent to which the affected individuals were harmed, and the ultimate compensation, will need to be established at a later trial.

What happened

In 2014, a disgruntled Morrisons employee put online the names, addresses, bank account details, salaries and national insurance numbers of nearly 100,000 other employees. There was a resultant risk that the employees may become the victims of fraud. The breach cost the company more than £2 million in professional and legal fees to address the data breaches.

As a result, 5,518 employees commenced legal action against Morrisons, claiming damages for misuse of private information, breach of confidence and breach of statutory duty under the Data Protection Act.

The High Court judge held that primary liability did not lie with Morrisons, given that the company did not authorise the misuse of information and the disgruntled employee had acted illegally. Additionally, in the circumstances, the rogue employee was the data controller, rather than Morrisons. The judge therefore found that Morrisons was vicariously liable for the breach as the employer, citing many examples of case law as authority on that point.

The judge acknowledged that the ruling may be furthering the criminal employee’s aim to harm Morrisons and that that would make the court an accessory to his crime. He therefore granted permission to appeal.

The grounds for appeal considered by the Court of Appeal, were that the Data Protection Act does not extend to vicarious liability and that the rogue employee was not acting in the course of his employment, hence there is not a sufficient connection to establish that Morrisons is vicariously liable for his actions. The judges dismissed the appeal.

Morrisons are assessing grounds to appeal to the Supreme Court.

Cyber Insurance

In response to arguments made by defence counsel around the potentially huge financial burden that the decision could place on Morrisons, the judges commented that the availability of insurance provides a “valid answer”.

If the decision of the Court of Appeal is upheld by the Supreme Court this would establish important legal precedent.

This is exactly the type of litigation that a cyber policy is designed to provide our clients with coverage for – both for the defence costs and any eventual settlement, including compensation costs for the claimants.


For information relating to this article please contact Lucy Scott on:

+44 (0)20 7933 2382