In a decision that will come as a big relief to the supermarket giant Morrisons and other UK businesses, the Supreme Court has overturned the Court of Appeal decision that held Morrisons liable for a massive data breach caused by a rogue employee.
The Court of Appeal had previously ruled that organisations can be vicariously liable for data breaches caused by rogue employees – even where the organisation has taken appropriate measures to comply with its data protection obligations. The effect of the Court of Appeal’s decision would have meant that the supermarket would have been exposed to a large number of compensation claims and the case would have set a precedent for future victims of data breaches to argue an employer is vicariously liable for the actions of a former employee.
This class action alone involved some 9,000 people claiming compensation.
It feels like the right legal outcome given it is hard to argue the supermarket did anything wrong but it does mean that there is no legal remedy for thousands of people affected by having personal information posted online. It may therefore be likely that the law will evolve further in this area in the coming years.
The supermarket giant was not liable after an internal auditor leaked payroll data of about 100,000 workers as "revenge", judges decided. The decision overturns a landmark class action case by 9,000 people in a claim for being left "upset and distressed".