Ruling significantly increases organisations' exposure to data breach claims

News

11.12.2017

A High Court ruling has determined that Morrisons Supermarkets is vicariously liable for a data breach maliciously committed by a disgruntled employee.

The case is significant for a number of reasons:

It is the first time that an employer has been held vicariously liable in such circumstances;
It did not matter that Morrisons had discharged their obligations to take all necessary steps to prevent the breach;
Data breaches committed by employees are reasonably common. Once the EU General Data Protection Regulation (GDPR) takes effect in May 2018, breaches like this will have to be reported to the affected individuals (and to the Information Commissioner). It had been thought that compliance with accepted data security standards would offer a defence to any subsequent claims by the affected individuals. This no longer appears to be the case. In effect, we have gone from a negligence standard towards one more akin to strict liability;
It raises questions about the extent to which insurance cover for data breaches, and the consequences arising from them, is in place or available in such circumstances.

Ian De Freitas and David Morgan consider the case and its implications in more detail in the article linked here.

If you require further information on anything covered in this briefing please contact Ian De Freitas or David Morgan or your usual contact at the firm on 020 3375 7000.

This publication is a general summary. It should not replace legal advice tailored to your specific circumstances.