DWF logo

Search

DWF logo

          New Data Risk vicarious liability class action

          The much anticipated liability judgment in the data breach class action case against Wm Morrison Supermarkets plc has been released. DWF are advisors in the case.

          Date: 11/06/2018

          The much anticipated liability judgment in the data breach class action case against Wm Morrison Supermarkets plc has been released. DWF are advisors in the case.

          The case

          The claim concerns a former senior employee of Morrisons who had authorised access to personal employee data and who misused it in order to cause harm to his employer. His actions also gave rise to potential claims by every affected individual, numbering tens of thousands. Thousands of them brought a group action against the employer claiming damages for the alleged distress caused by the release of their personal data. The claims were brought under the DPA, for misuse of private information and for breach of confidence, both for direct liability if the defending employer was at fault or, in the alternative, for no-fault vicarious liability.

          The outcome

          We successfully defended the direct liability claims but the court decided that on current legal principles of no-fault vicarious liability, it was bound to find that the innocent data controller employer should compensate the individuals despite the employer being the primary intended target of the criminal behaviour. However, the court said that it was troubled by the implications of this decision and, of its own volition, has given Morrisons permission to appeal.

          What does this mean for you?

          The case raises significant, previously unlitigated points concerning the potential direct or vicarious liability of employers where mass personal data they inevitably hold is misused in an unauthorised way.

          The outcome of this case could have significant and damaging financial and reputational effects on all employers.

          Whilst market focus has understandably been on the enhanced potential fines under the GDPR, this is a newly emerging and on-going issue arising out of the application of data protection and employment law principles to circumstances never previously litigated and which is independent of any regulatory penalties.

          How can we help?

          Members of the team who have worked on this case for years would be very happy to meet with you to discuss and help you consider how these issues could affect your business and what steps the business might wish to take to address the risks.

          Get in touch with our team below.

          Related people

          Nicole Burton

          • Senior Associate

          Michelle Maher

          • Senior Associate