• GL
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

New Data Risk vicarious liability class action

11 June 2018
Managing reputation
The much anticipated liability judgment in the data breach class action case against Wm Morrison Supermarkets plc has been released. DWF are advisors in the case.

The much anticipated liability judgment in the data breach class action case against Wm Morrison Supermarkets plc has been released. DWF are advisors in the case.

The case

The claim concerns a former senior employee of Morrisons who had authorised access to personal employee data and who misused it in order to cause harm to his employer. His actions also gave rise to potential claims by every affected individual, numbering tens of thousands. Thousands of them brought a group action against the employer claiming damages for the alleged distress caused by the release of their personal data. The claims were brought under the DPA, for misuse of private information and for breach of confidence, both for direct liability if the defending employer was at fault or, in the alternative, for no-fault vicarious liability.

The outcome

We successfully defended the direct liability claims but the court decided that on current legal principles of no-fault vicarious liability, it was bound to find that the innocent data controller employer should compensate the individuals despite the employer being the primary intended target of the criminal behaviour. However, the court said that it was troubled by the implications of this decision and, of its own volition, has given Morrisons permission to appeal.

What does this mean for you?

The case raises significant, previously unlitigated points concerning the potential direct or vicarious liability of employers where mass personal data they inevitably hold is misused in an unauthorised way.

The outcome of this case could have significant and damaging financial and reputational effects on all employers.

Whilst market focus has understandably been on the enhanced potential fines under the GDPR, this is a newly emerging and on-going issue arising out of the application of data protection and employment law principles to circumstances never previously litigated and which is independent of any regulatory penalties.

How can we help?

Members of the team who have worked on this case for years would be very happy to meet with you to discuss and help you consider how these issues could affect your business and what steps the business might wish to take to address the risks.

Get in touch with our team below.

Further Reading

We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set when you accept.

For more detailed information about the cookies we use, see our Cookies page.

Manage your cookies

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set when you accept.

For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

(Required)

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

These cookies are required

Tracking cookies

Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

They may also be used to personalise your experience on our website by remembering your preferences and settings.

Marketing cookies

These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.