Volume: 14 Issue: 12
(december 2017)

Keywords:
litigation employment data breach

Jurisdictions:
uk

UK: High Court issues judgement in Morrisons' class action

The Honourable Justice of the High Court of Justice’s (‘the High Court’) Queen’s Bench Division, Brian Langstaff, issued, on 1 December 2017, his decision in relation to the class action in Various Claimants v. Wm Morrisons Supermarket PLC, addressing whether Morrisons could be held liable for the criminal actions of Andrew Skelton, who maliciously disclosed personal data of co-employees. The High Court determined that although the Data Protection Act 1998 would not impose primary liability on Morrisons, vicarious liability could be established, i.e. the liability for which employers, without personal fault, are held responsible for the wrongs committed by their employees.

David Lorimer, Associate at Fieldfisher LLP, said, “What is interesting about this case is that it emphasises that cyber risks don’t just come from external hackers, but can also come from internal, trusted employees. It is the first time a court has held that employers will be vicariously liable for breaches of data protection laws by rogue employees.”

The High Court held that primary liability could not be established since Morrisons did not directly misuse any personal data, nor authorise or permit its misuse by any carelessness on its part. However, the High Court justified Morrisons’ vicarious liability on the basis of the principle of social justice under common law, finding there was a “sufficient connection between the position in which Skelton was employed and his wrongful conduct, put in the position of handling and disclosing the data as he was by Morrisons” and rejecting the argument that the Data Protection Act, by its terms, would exclude such liability.