The Power of the Class Action by Alan Gough

Get in touch

Mr Justice Langstaff sitting in the Queen’s Bench Division of the High Court has ruled that retailer Morrisons is liable for a data leak committed by a former employee.Over 5500 employees and former employees brought a class action lawsuit seeking compensation after a payroll data leak led to nearly 100,000 employees’ personal information being posted on the internet. The leak contained bank details, salary, national insurance information, addresses and phone numbers.

The case is the first data leak class action case in the UK. Its purpose was to identify whether Morrisons was liable for the data leak. The employees argued that the retailer failed to prevent the leak and was therefore legally responsible for breaches of privacy, confidence and data protection laws. Morrisons denied liability.

The High Court found that primary liability for misuse of private information and breach of confidentiality was not established against Morrisons under the Data Protection Act. But it found that vicarious liability could be established. In this case, this refers to when a lone employee commits a breach of statutory obligations while acting in the course of employment. Where vicarious liability is established it means that the employer is liable for the wrongful acts of its employee. Damages by way of compensation to the victims will be dealt with at a later hearing. Morrisons has been granted permission to appeal.

The lawsuit started when a former senior internal auditor at Morrisons, who held a grudge against the organisation after he received disciplinary action for using Morrisons’ mailroom to operate an eBay business, leaked employees’ personal data online. The employee was prosecuted, convicted and sentenced to eight years in jail for fraud, securing unauthorised access to computer material and disclosing personal data.

Mr Justice Langstaff said:

“Morrisons did not directly misuse any information personal to the data subjects. Nor did [it] authorise its misuse, nor permit it by any carelessness on [its] part. If Morrisons [is] liable it must be vicariously or not all.”

He rejected arguments that the Data Protection Act could not result in vicarious liability being established, and that its terms exclude vicarious liability. He held that secondary vicarious liability was established.

It is a landmark decision, being the first data leak class action in the UK.

Also, it paves the way for victims of data breaches to claim damages for any distress caused, even if they have not suffered any financial loss as a result.

Class actions have been more popular in the US than here and in the UK. Many US attorneys have gotten rich on the back of class actions where they often take a third of the winnings. They enable a selection of the ‘class’ to sue on behalf of all the claimants who may run into hundreds or, as in this case, thousands of individuals.

This successful claim against Morrisons will no doubt encourage more class actions, but it should be remembered that in cases where the defendant is an employer the law is complex and aspects of this judgment may be reviewed on appeal to a higher court.