The UK Court of Appeal has dismissed an appeal against the High Court’s decision that Morrisons is vicariously liable to 5,000 employees for misuse of their personal data by a rogue employee.
The decision is causing shockwaves amongst businesses, as it shows that a company may be held vicariously liable for a data breach caused by an employee, even if the employee’s motive in committing the breach was to harm the company (Wm Morrisons Supermarkets Plc v Various Claimants  EWCA Civ 2339).
The amount of compensation to be awarded has yet to be determined. The Court of Appeal acknowledged that data breaches caused by either corporate system failures or negligence by individuals acting in the course of their employment may lead to a large number of claims against companies for ”potentially ruinous amounts”, and said that the solution is to insure against such catastrophes. In the court’s view, the availability of such insurance was a valid answer to the “Doomsday or Armageddon arguments” about the effect of its decision.
Although this is a UK decision, it will be of persuasive authority to the Irish courts if a similar action is brought here. It remains to be seen whether the decision will open the floodgates to vicarious liability actions being taken against companies for data breaches caused by employees. However, it is likely to be easier to take such actions going forward, as the GDPR and Irish Data Protection Act 2018 allow compensation to be awarded to data subjects for non-material loss, such as emotional distress. Morrisons has indicated that it intends to appeal the decision to the UK Supreme Court.
Our blog on the High Court’s decision is available here.