There has been an emerging trend for individuals to sue for compensation for breaches of the GDPR including after cyber-attacks. Two recent cases give important guidance to controllers on the extent to which they may be liable for a data protection breach.
WM Morrison Supermarkets Plc v various Claimants
This is a recent Supreme Court decision which importantly found that the employer, Morrisons, was not vicariously liable for breach of data protection law committed by an employee.

The employee (S) was a senior auditor who as part of his job was given access to the payroll data of the whole workforce. Unbeknown to Morrisons S harboured a grudge which led to him copying and uploading the data of nearly 100,000 employees to a publicly accessible file sharing site as well as sending data to various newspapers. S took extensive steps to cover his tracks but was eventually caught and imprisoned. Morrisons spent more than £2.26 million in dealing with the aftermath of the disclosure.
A group action for damages was commenced by 9,263 employees/former employees who alleged they had suffered distress because of the disclosure. If successful Morrisons faced potential claims from all the affected individuals, so its potential liability was significant. In both the High Court and the Court of Appeal, Morrisons was found not to be directly liable for the disclosure. However, it was found to be liable on a vicarious basis as the employee was considered to be acting in the course of his employment when he made the disclosure. Fortunately for Morrisons, the Supreme Court overturned this decision.

The Supreme Court considered that the key question to establish vicarious liability is whether the disclosure of the data was so closely connected with acts that the employee was authorised to do that, for the purposes of the employer’s liability to third parties, the employee’s wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment. In this case the Court considered that the employee was not engaged in furthering the business of his employer when he committed the wrongdoing but rather was pursuing a personal vendetta. His wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment so as to establish vicarious liability.

This marks a welcome decision for employers, particularly as the Court of Appeal and court of first instance had previously found Morrisons to be vicariously liable for S’s actions. However, it is important to remember that where an employee is processing data on behalf of their employer, the employer is directly liable for any non-compliance with the data protection legislation. Employees should be trained on data protection and compliance monitored. An employer who fails to put in place appropriate security measures to guard against unlawful disclosure and/or data loss which causes or contributes to a disclosure will also be liable under the GDPR.

Atkinson v Equifax Ltd
This case relates to a significant cyber-attack on Equifax US in 2017. Mr Atkinson brought a representative civil action seeking, according to his solicitors, compensation of £100 million on behalf of 15 million affected customers. He claimed damages for “loss of control” of his data. This followed the Court of Appeal judgement in Lloyd v Google which found that damages can be awarded for loss of control of data, even if there is no pecuniary loss or distress. Equifax Limited had already been fined £500,000 by the ICO, the maximum amount for a pre-GDPR breach, so the civil action represented further significant liability.

It has recently been reported by the barrister team acting on behalf of Equifax that, following service of the defence, Mr Atkinson is withdrawing his representative action and his solicitors have accepted that Equifax is entitled to recover its costs The defence is said to have challenged the correctness of Lloyd v Google and its application to a cyber-attack case and must have been persuasive to lead to the withdrawal of the claim.
It will be interesting to see whether this leads to a downturn in the number of class-action type claims brought by groups of individuals for damages following a cyber-attack. Lloyd v Google has also been appealed to the Supreme Court so further developments on “loss of control” damages are expected.

Conclusion
The potential fines for non-compliance with the GDPR have attracted headlines. However, there can also be potential liability to pay compensation to individuals for a data protection breach. For breaches that affect a large number of individuals this can be a significant additional liability. Whilst the Morrisons and Equifax cases demonstrate that there may be some limitations on such compensation claims, we await to see what effect they will have on the market for compensation claims.
If you require any further information or assistance please contact our specialist data protection team:

Amy Chandler, Partner, amy.chandler@pannonecorporate-com.stackstaging.com
Patricia Jones, Consultant, patricia.jones@pannonecorporate-com.stackstaging.com
Danielle Amor, Senior Associate, danielle.amor@pannonecorporate-com.stackstaging.com