The legal industry (or perhaps more accurately, data protection lawyers and those with a keen interest in vicariously liability) have been waiting with bated breath for 'Round 3' of the legal battle involving Morrisons and a group of more than 5000 employees who are suing the supermarket chain for its alleged breach of data protection law. A date is finally in the diary for the Supreme Court hearing - 6 and 7 November 2019.
The case concerns a disgruntled former employee who uploaded the details of nearly 100,000 employees on a file sharing site and contacted the media. The information included the employees names, addresses, gender, date of birth, phone numbers, NI numbers, bank sort codes, account numbers and salary details. Morrisons acted swiftly and the website was taken down within hours. A group of employees have now sued Morrisons in the first litigation of its type in the UK.
The High Court held that Morrisons had no primary liability for the actions of the rogue employee and largely had appropriate security measures in place. Despite this Morrisons were found to be vicariously liable for the former employee's actions. Morrisons unsuccessfully appealed to the Court of Appeal and are now heading to the Supreme Court in November in a final attempt to argue that it should not be liable for this former employee's actions.
The case is important for businesses to be aware of as it involves an essentially compliant company on the receiving end of a class action it could have done little to avoid. In the GDPR era of mandatory notification this is even more concerning. The case is a reminder that businesses should look carefully at the measures they take to mitigate these types of risks, including the insurance arrangements they have in place in respect of data breaches as well as internal procedures around responding to breaches.
We will be following the hearing and will provide an update when we have the result.
Wm Morrison, the UK supermarket chain, is heading to Britain’s highest court in an effort to overturn a ruling that it is responsible for compensating thousands of employees for a data breach.