The Supreme Court overturning a Court of Appeal ruling on a data breach case against Morrisons will “come as a relief” to pension schemes, according to Herbert Smith Freehills.
On 1 April 2020, the Supreme Court overturned the Court of Appeal’s decision in upholding the ruling of the High Court that the supermarket was vicariously liable for its former employee’s actions of sending data to third parties.
Commenting on the ruling, Herbert Smith Freehills stated: “The Supreme Court’s decision will likely result in a collective sigh of relief for organisations (including sponsors, administrators, pension schemes and pension providers) both in relation to their liability for employees’ actions generally and their potential liability for data breach class actions."
The former employee, who was a senior auditor in Morrisons’ internal audit team, was found guilty of stealing and unlawfully sharing the names, addresses, bank account, salary and national insurance details of almost 100,000 of his former colleagues with news outlets and data sharing websites.
He was given access to the personal data ahead of an annual external audit of the supermarket by KPMG as his task was to collate and transmit the data to KPMG.
The case, Morrisons Supermarkets Plc v Various Claimants, was brought about by 5,000 of the employees affected by the breach.
However, the Supreme Court ruled in favour of Morrisons as the former employee was pursuing his own objective, rather than the company’s, and it said the fact that his job provided him with the opportunity to commit a wrongful act does not make necessary make the company vicariously liable.
The court noted that, once Morrisons were made aware of the leak of the personal information, it took steps to ensure that the data was removed from the internet as well as informing the police and the affected employees.
Morrisons spent over £2m dealing with the aftermath of the data breach, a significant portion of which was spent on identity protection measures for its employees.
Herbert Smith Freehills added: “It is important to note that it does not close the door on data breach class action compensation as a whole. Organisations should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.”
Recent Stories