In the recent case of WM Morrison Supermarkets plc v Various Claimants, Morrisons faced claims from its employees who had been the subject of a data breach.
Morrisons employed a senior IT auditor who was tasked with sending data on approximately 100,000 employees to an external auditing company. He had been given a warning by Morrisons for misuse of the company’s postal facilities and, in spite, saved this employee data to his personal USB stick and shared it online. He was convicted of several offences including fraud and offences under the Data Protection Act 1998 (as it then was).
Some of the employees affected brought claims against Morrisons, claiming it was vicariously liable for these acts. The Court of Appeal agreed, finding that there was nothing, express or implied, in the Data Protection Act that would exclude the possibility of vicarious liability and that there was a sufficiently close connection between the IT auditor’s employment and his conduct for Morrisons to be held responsible.
This case serves as a reminder to employers to ensure that they have procedures in place to try to protect against data protection breaches and sufficient insurance for instances where such procedures have been ineffective. This is particularly so, given the Court of Appeal’s comments that the individual’s motive (in this case, to harm the employer) was irrelevant in assessing liability.