SUMMARY
- Data breach landmark ruling from London
- What kind of data breach had happened?
- Who is responsible for such (comparable) data breaches – What do UK courts say?
- How can the risks of class actions for data breaches against your company be limited in practice?
- Data breach class actions will rise even more globally
I. Data breach landmark ruling from London
At the end of 2018, the Court of Appeal in London made a significant decision that seemed to have serious consequences, even beyond the borders of England (Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339). According to this ruling, an employer is liable for willful data breaches committed by a former employee. The fact that this individual had acted with intent to damage the reputation and finances of his employer was legally irrelevant.
However, the Supreme Court has overruled this decision in 2020 (WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 ). Businesses will generally not be held vicariously liable for the actions of rogue employees in the UK. Why is this important for you, having your business focus on China, the US or Germany? Because this decision represents a trend whereby employers/companies are being held (vicariously) liable by courts for comparable data breaches. The risk of class actions associated with this cannot be underestimated as plaintiffs do not even have to suffer any concrete damage in order to sue for substantial damages in all cases, generally.
Such legal proceedings happen all over the world, and will occur more frequently in the future. Against this background, it makes sense to discuss this landmark ruling now. This decision offers the opportunity for a strategic outlook into the future. Because it cannot be foreseen how courts will decide in this context in future globally, it is necessary to deal with these issues at an early stage.
II. What kind of data breach had happened?
Plaintiffs were 5518 employees of the supermarket chain Wm Morrison Supermarkets plc (In the Following: Morrisons). They did not suffer any direct damage as a result of the events leading to the lawsuit, but distress. The cause of action was the unauthorized uploading of personal data by an employee of Morrisons, including in particular names, addresses, dates of birth, various home numbers, health insurance numbers and information on bank accounts and salary payments. In addition to uploading the data to the file-sharing website, this individual had also forwarded the data to three different newspapers in the United Kingdom. Nearly 100,000 Morrisons employees were affected by this data disclosure. The uploading process was carried out from the employee’s personal PC at home.
III. Who is responsible for such (comparable) data breaches – What do UK courts say?
The courts denied Morrisons liability for its own fault at least, finding that no data protection law had been violated by the supermarket chain and that no liability arose from legitimate expectations considerations. It was the employee, not the defendant Morrisons, who was causally responsible for the breach of the Law. Also, the court did not consider the employee’s actions to be directly induced by Morrison.
In addition to that, the courts held that Morrisons had taken appropriate technical and organizational measures to prevent such an incident (Here again, you see the importance of a functioning compliance management systems if things get rough. Ultimately, therefore, the defendant could not be assumed to be liable for its own fault.
But these findings did not help Morrisons. The defendant was held vicariously liable for his employee. As you can imagine, there has been a public outcry: Although having done everything what the law expected from Morrisons, it was supposed to pay for the wrongdoing of an individual.
The Supreme Court, however, considered the position afresh, finding that the High Court and the Court of Appeal had misunderstood the existing authority on vicarious liability. It held that an employee’s wrongful actions “was not so closely connected with acts which he was authorized to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment”. Long story short: This data breach happened not in the course of furthering the business of Morrisons, it was the result of a personal (“private”) grudge of the employee against his employer. Although the case was brought under the (old) Data Protection Act in the UK, the position would not be any different under the General Data Protection Regulation and the new Data Protection Act.
IV. How can the risks of class actions for data breaches against your company be limited in practice?
You should monitor your technical arrangements for monitoring breaches in the context of personal data more closely. This is the only way to effectively reduce the risk of class actions.
Terminated employees are generally to be released from continuing their work until the end of the employment relationship. That may certainly lead to financial burdens on the company. The employee does not work anymore – a replacement must be obtained –, but the wages still have to be paid to the individual. Nevertheless, in the end, this is regularly the best option.
As to our experience, you cannot just rely on the assessment of HR officers whether legal violations are to be expected from the terminated employee. In principle, the restriction of access to personal (secret) data of the terminated employee could also be considered. However, it is questionable to what extent this can actually be implemented in practice – especially with long-term and technically highly skilled employees.
Experience has shown that a spurned employee who remains in the company will find ways to seriously damage his employer from within. If you weigh up the considerable, possible damage that such a terminated employee can cause from within the company with the costs of the lack of labor, the exemption of the employee will usually be the best modus operandi (It is noted that Morrisons had spent more than £2.26m in dealing with the immediate aftermath of the disclosure/please remember: Morrisons has won the case in the end).
The possibility of unilateral exemption of an employee by the employer, especially in the event of termination by the employer, should already be regulated preventively in the employment contract. In the event of termination, the exemption could thus take place on a solid legal basis.
V. Data breach class actions will rise even more globally
This case shows, like a textbook, that there are also good reasons to see whether an employer is liable for deliberate violations of data protection law regardless of fault. Finally, there is no right or wrong decision, it merely is an evaluation every society has to made on its own. Of course, even such basic decisions can change quick. At the moment, data protecting is trending (General Data Protection Regulation).
For instance, in Grossman v. Nissan Canada, 2019 ONSC 6180, a class action was certified against Nissan after one of its employees improperly accessed confidential information, threatening to disclose this data unless he was paid ransom. The plaintiffs have been successful, Canadian courts unanimously support the proposition that an employer may be vicariously liable for the data breach tort of an employee, depending on the factual circumstances.
As we are convinced that this is only the beginning of cases like this, we advise clients to get information about how to effectively lower the risks of class actions in the countries they do business in.
Get in touch for a country-specific risk assessment!
