This website uses 'cookies' to enhance your experience and for basic functionality. Using this website means you're happy with this. To find out more about cookies on this website, see our privacy policy.

Data leaks and employer liability

Andrea Ward

Data leaks and employer liability

Picture the scene:

You’re a conscientious employer. You diligently follow data protection laws. One day, you discover your senior IT auditor has been running a slimming drug supply operation from the office mail room, but you let him off with a verbal warning. When that same employee comes by, as part of his job, the personal data (including bank details) of some 100,000 other employees and, in an act of vengeance, posts it online, you move swiftly to remove the offending material and call the police. The employee gets eight years in prison, but surely you’re not liable for anything. Right?

Various Claimants v. Wm Morrisons Supermarkets plc

Such was the position in which Morrisons found itself in the above named case, which reached the Court of Appeal this month. In the first data leak class action in the UK, some 5,000 victims of the leak sued Morrisons over its failure to protect their personal data. The supermarket was found to be vicariously liable and, though the level of damages is yet to be decided (and subject to the appeal), the decision potentially has significant ramifications for employers.

Key points

On the facts, Morrisons didn’t do a lot wrong. It was found to have had in place appropriate data protection measures. The employee committed the offence at home on a Sunday, using his personal computer. In fact, other than “worry, stress and inconvenience” on the part of the defendants, it doesn’t appear anyone suffered a financial loss as a result of the leak (unlike Morrisons, which spent some £2 million tackling it). Nevertheless, the judge found an “unbroken thread” between the unauthorised disclosure and the culprit’s work as an employee. Morrisons, in allowing the employee to access the data, had taken “the risk that they might be wrong in placing the trust in him”, and was liable as his employer.

    Following the rules not enough?

The judge stated that, in deciding the appropriate level of data protection, employers must weigh the risk of the activity in question (including the severity of harm that may result from a breach) against the costs of protective measures and the importance of conducting the activity. Accordingly, a company with over 100,000 employees is held to a higher standard than one with only a handful.

  • Balancing protections with the level of risk

The offending employee came by the data when asked to pass it on to Morrisons’ external auditors. The file being too large to email, it was taken out of a secure system and placed onto a USB stick. Despite being generally commended for its approach to data protection, Morrisons was chided for its failure to have in place a procedure for deletion of the data post-transfer (though on the facts, there was no liability attached, since this was found not to be the cause of the leak). The judge found Morrisons should have conducted checks to ensure the data had been deleted.

  • The importance of deleting data

Danielle Lloyd v Carphone Warehouse from 2011 is a good example of how not to handle a data breach. After an enterprising employee tasked with transferring data between phones discovered and tried to sell personal photos of Ms Lloyd to the tabloids, an initial claim for £2,500 was allowed to spiral into £150,000 of legal costs and a £10,000 out-of-court settlement. Morrisons, by contrast, managed the breach reasonably well, but they did, during a successful claim for damages against the employee, make a point of the distress caused to the victims. Naturally, this can hardly have helped when those same victims turned around and sued Morrisons for the same suffering.

  • The importance of a plan


With the introduction of the GDPR and resulting heightened awareness around personal data, such class actions are likely to become more prevalent. The Morrisons case shows that even where compliance levels are sufficient to avoid a fine under the GDPR, that may not be enough to prevail in subsequent group litigation.

It serves as another reminder to employers to only process data where strictly necessary, to think carefully about which individuals are granted access, and to ensure data is immediately deleted once it is no longer needed. Having clear employment policies, training and contracts is also essential.

The Ignition Law team are experts in data protection and employment planning and management for start-ups and SMEs. For assistance, please contact Andrea Ward at

You may also like...

Partner Alex McPherson writes on Uberisation and agile working in the legal profession

Alex McPherson writes on Uberisation and agile working in the legal profession in HRM Guide, Growth Business, IT Pro Portal and Legal IT Insider


Alex McPherson & Caroline Sherrington present at The Lawyer Business Leadership Summit

Alex McPherson & Caroline Sherrington discuss addressing the demand for agile working at The Lawyer Business Leadership Summit 2016


Alex McPherson: Agile working is the future of law in The Lawyer

Alex McPherson is in The Lawyer Magazine with a 60 sec interview on agile working.


Ignition Law partners with the Tennis Foundation for the NEC Wheelchair Tennis Masters

We are delighted to announce our partnership with The Tennis Foundation for the NEC Wheelchair Tennis Masters


Helen Burt explains how scale-ups can make outsourcing work in The Telegraph

Helen Burt argues that before you engage an outsourcing partner, it is important to protect your intellectual property


Ignition Law recognises growing client base of female founders and business women

Ignition Law hosts networking dinner to recognise and support the firm's growing client base of female founders and business women


all posts