In the UK’s first data protection class action, thousands of workers brought a lawsuit against WM Morrisons Supermarkets, alleging that a former IT employee of the company leaked their personal information—such as salaries, national insurance numbers and bank account details—to a number of newspapers in 2014. The employee, Andrew Skelton, was already sentenced to eight years in jail for his actions.
The landmark dispute came to a head in December, when the UK High Court found Morrisons liable for the data breach, opening the way for potential compensation for the nearly 100,000 workers who joined together in the class action. In the ruling, Justice Langstaff found that Morrisons had provided “adequate and appropriate controls” but that secondary or vicarious liability for the actions of one of its employees had been established in the case.
Morrisons has pledged an aggressive appeal of the ruling and, to be sure, the UK High Court went out of its way to spell out that Morrisons was not at fault in the way it protected the personal data of its workers. Still, the fallout from this ruling among businesses in the UK was immediate shock, with executives and their legal counsel quickly evaluating their potential exposure to the unlawful handling of data by disgruntled employees.
The obvious conclusion from the Morrisons ruling is that employers are responsible for what information employees have access to and how their workers handle that data, even when not acting in the course of their employment. It is a serious escalation in the liability UK businesses must assume when it comes to data protection.
This news comes on the heels of two other high-profile data protection disputes in the UK last year, involving payday lender Wonga and telecommunications company TalkTalk. Last fall, TalkTalk was hit with a record £400,000 fine in response to a data breach and the theft of personal data of more than 150,000 customers.
UK legal experts warn this could be the beginning of a surge in litigation brought against businesses related to cybersecurity incidents, especially in light of the May 2018 implementation of the EU’s General Data Protection Regulation (GDPR). In fact, the FT reported on February 11, 2018, that litigation funders may look specifically to finance data protection class action lawsuits against UK businesses when the GDPR goes into effect.
The Morrisons case illustrates that we’ve entered a new era in which businesses may be targeted for data protection class actions, even if the inappropriate handling of data was carried out by a disgruntled employee acting outside of the company’s rules of conduct. It’s important to take advantage of all available tools—people, processes and technologies—to conduct vigilant information risk management that reduces the company’s exposure to the next big data protection class action lawsuit.
# # #
About the Author
Patrick Looney is European sales director for AccessData and is based in the UK. Looney advises clients on how to deal with large or regular data collections, filtering and analysis, complex digital forensic investigations and e-discovery projects. For more information, please go to www.accessdata.com.