Poetic Justice? The Data Leek

With the countdown to GDPR implementation on 25 May 2018 well under way, we revisit the recent judgment in Various Claimants v WM Morrisons Supermarket PLC [2017] EWHC 3113, but this time with a poetic spin in homage to Valentine’s Day and in a wildly ambitious attempt to mix data law with romance… for never was there a story of more woe than…erm…this of a business and its data leek…

The Data Leek

His was a crime of supermarket passion
But fruit he was not, more so a leek
Who caused our law’s first data class action
And left Morrisons up the creek

For the leek saw fit to flood the net
With a pool of payroll data distress
That summoned the sharks of identity theft
Fins circling the smell of financial stress

Stranded cashiers, managers and stackers
For thousands the future looked bleak
All weary of the hungry hackers
All cursing the cheek of the leek

Their plea was to a DPA lifeboat
And the oars of confidence and privacy
They sued for breaches to stay afloat
And demanded Morrisons’ liability

Liability be direct they cried
Or vicarious for sending us to sea
One or the other to save us from high tide
Buy One Get One Free

BOGOF was Morrisons’ reply
We were no data controller
Moreover our security did comply
We will not roll over

And to be vicariously liable for a leek?
That secondary plea is overblown
The DPA excluded this speak
While the leek was on a frolic of his own

And so it was left to Langstaff J
Who threw a lifeline and made this case famous
I say vicarious breach of the DPA
“Under the principle of social justice”

A justice of pro-privacy jurisprudence
But justice which propelled a criminal aim
Of frozen isle supermarket vengeance
So is there really justice in Morrisons’ blame?

Whether or not the tide turns on appeal
Businesses take note of this leeky tale
Anchor your security and never open the seal
Lest you wish your reputation to set sail

Oh his was a crime of supermarket passion
But fruit he was not, more so a leek
Who caused our law’s first data class action
And left Morrisons up the creek

This was a landmark High Court decision involving a rogue employee with an axe to grind. He leaked personal payroll related data of thousands of staff online. Those affected sued their employer for breach of the Data Protection Act 1998, misuse of private information and breach of confidence. The judge accepted the business was not directly liable; that it had complied with all key data security measures; and was itself a victim in this matter. Nevertheless, he found the business vicariously liable for the employee’s actions instead. Whether this constitutes a poetic justice is being appealed.

The decision serves as an important reminder for businesses to get their houses in order ahead of the GDPR implementation date. This includes taking measures to secure what is commonly considered to be a businesses weakest link in data security: accidental (as well as deliberate) leaks of data by its employees.

The Data Leek by Freeths IP & Media lawyer, Kishan Pattni, is to feature in this Spring’s edition of Freeths’ IPSO FACTO magazine, featuring latest news from the world of IP, media and reputation management and advertising.

---

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.