The UK Supreme Court has granted supermarket chain Morrisons permission to appeal against a landmark UK Court of Appeal ruling that found it vicariously liable for a deliberate data breach carried out by a former employee (previously discussed here).
Mr Skelton, an internal auditor at Morrisons, maliciously disclosed his co-workers’ personal data (including payroll data) on the internet. The UK Court of Appeal found Morrisons vicariously liable for the rogue employee’s actions, even though the data breach was targeted at harming Morrisons. In a class action suit, over 5,500 employees sued Morrisons for compensation for loss caused by the data breach, including non-pecuniary loss such as distress.
The Court of Appeal acknowledged that data breaches caused by individuals acting in the course of their employment may lead to a large number of claims against companies for “potentially ruinous amounts” but that the solution is to insure against such catastrophes. However, although insurance may help mitigate the consequences of a data breach, it is not a magic solution. In particular, it may be challenging for organisations to price a potential data breach. It is vital therefore that companies also take all appropriate technical and organisational measures to prevent the accidental or unauthorised disclosure of personal data, and to respond quickly once a breach has occurred to minimise any damage.
The appeal will be watched closely by employers and legal practitioners in Ireland, as the UK Supreme Court’s decision on the scope of an employers’ vicarious liability for data breaches may be of persuasive authority to the Irish courts. No date has yet been given for the appeal hearing.