A High Court ruling has determined that Morrisons Supermarkets is vicariously liable for a data breach maliciously committed by a disgruntled employee.
The case is significant for a number of reasons:
- It is the first time that an employer has been held vicariously liable in such circumstances;
- It did not matter that Morrisons had discharged their obligations to take all necessary steps to prevent the breach;
- Data breaches committed by employees are reasonably common. Once the EU General Data Protection Regulation (GDPR) takes effect in May 2018, breaches like this will have to be reported to the affected individuals (and to the Information Commissioner). It had been thought that compliance with accepted data security standards would offer a defence to any subsequent claims by the affected individuals. This no longer appears to be the case. In effect, we have gone from a negligence standard towards one more akin to strict liability;
- It raises questions about the extent to which insurance cover for data breaches, and the consequences arising from them, is in place or available in such circumstances.
Ian De Freitas and David Morgan consider the case and its implications in more detail in the article linked here.
This publication is a general summary. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, December 2017