Data breach precedent set

A recent decision by the Court of Appeal should sound the warning bells for all businesses that handle data.

The Court of Appeal dismissed an appeal that Morrisons was vicariously liable for its employee’s misuse of data, despite Morrisons having done as much as it reasonably could to prevent the misuse, and the employee’s intention being to cause reputational or financial damage to Morrisons itself.

This case highlights the wide reach of data protection. An organisation can be liable for data breaches even if it has taken appropriate measures to comply with the data protection legislation itself, and even if it is the intended victim of the breach. In this respect, the decision will also concern employers who can now be vicariously liable for the actions taken by a rogue employee even with appropriate safeguards in place to protect employee personal data. In addition to civil liability, organisations may suffer further damage as a result of negative publicity and impact on share price.

The fear for organisations will now be that this decision, combined with the legislative changes made by the GDPR, increased public awareness of data protection issues, and the publicity that the case has attracted, could spark a new wave of court cases from workers and customers in the event of a data breach.

Importantly, the case also related to data breaches which occurred prior to 25 May.