At the end of last year the Morrison's data protection case sent the business community into turmoil when the English High Court ruled that a firm is vicariously liable for the data-related malfeasance of an employee who acts malevolently on his own. The Court of Appeal has now upheld the decision.

Last year, the large retail firm of Morrisons resolved to appeal against the High Court's decision that it should be held vicariously liable for the acts of a rogue employee. The Court of Appeal has now upheld the decision. Morrisons says that it will appeal to the Supreme Court. If the appeal fails, every employee whom the perpetrator affected could be entitled to damages.

With every business still coming to terms with its new legal obligations under the European Union's General Data Protection Regulation (GDPR), which came into force in May, the timing of this case is important. Financial firms hold some of the most sensitive personal data available and ought to learn lessons from this landmark case and review their data protection policies and procedures accordingly. Although the Morrisons case concerns data about employees, this could equally have been data about customers.

The decision

The claim arose from the actions of an employee, Mr Skelton, in January 2014. Skelton had a grudge against the company and intentionally leaked 99,998 employee records online. His sole objective was to harm Morrisons and not the employees. More than 5,000 employees used a group litigation order to sue Morrisons for compensation.

On 1 December 2017, the High Court held that although Morrisons was not primarily liable or directly at fault for the 'data breach' (it having exercised "adequate and appropriate controls") it was vicariously liable for Skelton's actions.

Morrisons, unsurprisingly, appealed against the decision. On 22 October 2018, the Court of Appeal upheld the High Court's decision that Morrisons was vicariously liable for the breach, despite the data protection policies and the security controls that it had in place. Many lawyers and academics are questioning the fairness of the judgment.

Crucial steps for business

Fair or not, the Court of Appeal's decision should sound warning bells for every financial services firm. The case shows that an employer can be held vicariously liable even where there has been significant investment and adequate and appropriate data protection controls and policies in place.

There are five key areas of investment that can help protect firms:

• Technology. Firms have already spent copious sums of money in preparation for the GDPR in May, but they will now have to make some further investment in artificial intelligence to ward off the prospect of losing data (particularly in large organisations). AI can be an effective way of ensuring that only people with the right authorisation can access data and of forcing them to use it in accordance with the company's data protection policies.
• Policies and procedures. Firms must also consider changing their policies and procedures to offset the risk of data-related problems. They may need to do so to limit the number of employees with access to sensitive information, while setting strict guidelines to govern the ways in which they use it and share it. They might also have to review their 'human resources' policies, the better to spot situations in which an employee (particularly one with access to significant types and volumes of data) may become disgruntled.
• Training. Senior managers and supervisors are likely to require further training to help them identify the areas of risk when it comes to employees handling data.
• Insurance. Morrisons' lawyers told the court that the decision was likely to be very costly for innocent employers. The Court of Appeal replied that firms were able to take out insurance to cover these circumstances. Firms ought to consider doing so.
• Reputation. However a 'data breach' (i.e. an infraction against the GDPR) occurs, it can have a significant and wide-ranging effect on a firm's reputation. Many companies that have suffered in this way have also suffered a drop in share price and customers' loyalty. Firms should plan to offset this.

Despite all these precautions, it is nearly impossible to protect a business in every way against the acts of a determined and disgruntled employee. Until the Supreme Court considers the case, it is likely to attract the attention of the claims management industry.

* Richard Hayllar can be reached on +44 (0)333 006 0436 or at richard.hayllar@TLTsolicitors.com