UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details). The employee was found criminally liable in 2015 and jailed for eight years. A class action of 5,500 employees filed claims against Morrisons alleging breaches of the Data Protection Act 1998 (DPA). Although Morrisons acted swiftly and responsibly after the leak, and was found not to be primarily liable, the court of appeals has nonetheless now affirmed the lower court ruling that Morrisons is vicariously liable for the unlawful acts of its employee carried out in the course of his employment.
Putting it Into Practice: Though sound policies and practices can reduce companies’ risk, choosing the right employees and carefully restricting access to sensitive data are also important.