Supreme Court data breach ruling will ‘come as a relief’ to pension schemes

The Supreme Court overturning a Court of Appeal ruling on a data breach case against Morrisons will “come as a relief” to pension schemes, according to Herbert Smith Freehills.

On 1 April 2020, the Supreme Court overturned the Court of Appeal’s decision in upholding the ruling of the High Court that the supermarket was vicariously liable for its former employee’s actions of sending data to third parties.

Commenting on the ruling, Herbert Smith Freehills stated: “The Supreme Court’s decision will likely result in a collective sigh of relief for organisations (including sponsors, administrators, pension schemes and pension providers) both in relation to their liability for employees’ actions generally and their potential liability for data breach class actions."

The former employee, who was a senior auditor in Morrisons’ internal audit team, was found guilty of stealing and unlawfully sharing the names, addresses, bank account, salary and national insurance details of almost 100,000 of his former colleagues with news outlets and data sharing websites.

He was given access to the personal data ahead of an annual external audit of the supermarket by KPMG as his task was to collate and transmit the data to KPMG.

The case, Morrisons Supermarkets Plc v Various Claimants, was brought about by 5,000 of the employees affected by the breach.

However, the Supreme Court ruled in favour of Morrisons as the former employee was pursuing his own objective, rather than the company’s, and it said the fact that his job provided him with the opportunity to commit a wrongful act does not make necessary make the company vicariously liable.

The court noted that, once Morrisons were made aware of the leak of the personal information, it took steps to ensure that the data was removed from the internet as well as informing the police and the affected employees.

Morrisons spent over £2m dealing with the aftermath of the data breach, a significant portion of which was spent on identity protection measures for its employees.

Herbert Smith Freehills added: “It is important to note that it does not close the door on data breach class action compensation as a whole. Organisations should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.”

    Share Story:

Recent Stories

Sustainable investing for DC schemes
Laura Blows discusses sustainable investing for defined contribution plans with BlackRock head of UK & MEA global consultant relations, Claire Felgate, in Pensions Age’s latest video interview

Spotlight on Emerging Markets
Francesca Fabrizi talks emerging markets with Polar Capital’s head of Emerging Markets & Asia, Jorry Nøddekær, exploring the opportunities for pension funds in the current global setting

Sustainable Investing
Laura Blows speaks to Royal London Asset Management sustainable fund manager, George Crowdy, about global sustainable equity investing
The latest in multi-asset credit
Laura Blows discusses the high-yield market and multi asset credit with Royal London Asset Management senior fund manager, Khuram Sharih