The decision handed down in Various Claimants v Wm Morrisons Supermarket PLC  EWHC 3113 (QB) is a relevant decision to determine when an employer will be liable for any data protection breaches caused by a fraudulent employee. As the GDPR compliance deadline (25 May 2018) approaches any employers not taking matters into their own hands and keeping data protection on their radar may find the recent decision quite unsettling.
Background of the case
The decision follows a data protection breach by Andrew Skelton, a Senior IT employee at Morrisons. In January 2014, a file containing data of nearly 100,000 Morrisons’ employees was disclosed on a file sharing website by Mr Skelton. The rogue behaviour presented by Mr Skelton was due to a previous verbal warning unrelated to this matter. A compensation claim was subsequently brought against Morrisons in the High Court by a group of employees which had their data disclosed.
The ten day Trial concerned claims that Morrisons was directly liable for the disclosure of the data and claims that they were vicariously liable for the actions of their employee Mr Skelton. The claim in respect of direct liability failed as Morrisons were found not to have been in breach of the Data Protection Act 1998. However, despite having found Morrison’s’ in house procedures sufficient, the Court held that the claim in respect of vicarious liability was successful; making Morrisons liable for the employees’ breach and subsequently liable for the Claimants’ damages.
The Defendant’s argument was that the majority of the work involved in pursuing the claim was generally in relation to the direct liability claim which was ultimately succeeded by the Defendant. The Defendant contended that the Claimants should not be entitled to their costs in the matter, however they accepted that the general rule is the starting point and “the starting point is that the Claimants should be entitled to all their costs for the action…".
The next step was for the judge to consider the case law and the principles surrounding the Court’s discretion as to costs. Having regard to the line of authorities in English v Emery Reimbold and Strick Ltd 2002 1 WLR 2409, EWCA Civ 605 which stated in a combined judgement, “…contrary to what might be thought to be the case, a “percentage” order, under rule 44.3(6)(a), made by the judge who heard the application will often produce a fairer result that an “issues based” order under rule 44.3(6)(f)” and in a general review of Multiplex Constructions (UK) Limited v Cleveland Bridge UK Limited  EWHC 2280 (TCC) further referencing the advice to hesitate before making an “issue based” order, the judge proceeded to consider the relevant findings in the case and the factors under CPR 44(4) and (5).
The judge further contended that to establish the percentage of costs to be awarded he had considered not only the factors as mentioned above but also the extent of overlap between the claims.
In his decision to make a proportionate costs order the Judge rejected both Morrisons’ arguments, one relating to a costs order in the Defendants’ favour and the other requesting the parties bear their own costs. He also rejected the Claimant’s arguments that they should be entitled to the majority of their costs. The Judge saw the Claimants as overall winners however, he considered that a considerable amount of time had ultimately been spent dealing with the direct liability claim, which they lost and therefore ordered the Defendant to pay the Claimant 40% of their costs of the action, to be assessed if not agreed.
The judgement is an interesting read as to how the principles of vicarious liability apply to data protection. Although each case will be fact sensitive, the standards by which organisations are to be judged regarding data protection breaches is at this time of utmost importance and one that, if not complied with, may invite abundant fines under the GDPR. In order to avoid liability for compensation, organisations must take the appropriate steps to comply or simply prepare for the potential liability in order to mitigate the risks when a data breach occurs.