By the Data Security & Privacy Team

While an ocean away, supermarket Morrisons’ loss in the United Kingdom’s appellate court should act as a warning to all United States-based and international companies. On October 22, 2018, Morrisons lost its recent appeal in a landmark high-court ruling, being held vicariously liable for a former employee, Andrew Skelton’s intentional actions that lead to the leak of more than 100,000 of its employees’ personal information. This decision came down despite Morrisons’ demonstration that it had lawfully discharged its obligations under the United Kingdom’s Data Protection Act of 1998. In July 2015, Skelton was sentenced to eight years in prison.

This decision represents the United Kingdom’s warning that organizations have a significant duty to protect the personal data of their customers and employees that is beyond the applicable data breach protection rules issued by varying countries. And with 5,558 members of the Class Action, it is expected that Morrisons will face a hefty compensation ruling. According to Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the class, “Large corporations take responsibility when things go wrong in their own business and cause harm to innocent victims.   It is important to remember that data protection is not solely about protecting information – it is about protecting people.”  A spokesperson for Morrisons publicly stated that they will now appeal this decision to the Supreme Court.

Going forward, compliance officers for various corporations should anticipate legal responsibility for any type of data breach under the legal theory of vicarious liability if the Morrisons decision crosses the Atlantic. This is yet another signal of the importance to improve security protocols for company data, as well as additional screening for employees entrusted with that data.

Indeed, on October 26, 2018, the Middle District of North Carolina approved a class-action settlement for a 2016 disclosure of personal identifying information of employees of HAECO Americas, Inc. (“HAECO”), after W-2 statements were leaked in response to a phishing scheme. See David Linnins, et al v. HAECO Americas, Inc., 2018 WL 5312193 (M.D.N.C., 2018). The class action plaintiffs “asserted claims for negligence, invasion of privacy, and violation of the North Carolina Unfair and Deceptive Trade Practices Act[,] which included an alleged violation of the North Carolina Identity Theft Protection Act.” Id. at *1. According to published details of the settlement agreement, HAECO agreed to the following terms:

  • Provide affected parties with 2 years of Experian Protect MyID Elite services;
  • Reimbursement of $350 for members of the class that previously purchased similar identity theft monitoring programs;
  •  Establish a claim fund in the amount of $312,500 to compensate class members for damages, expenses, and inconveniences they incurred; and
  • HAECO agreed to take data and cyber security steps, including mandatory cyber security training for all employees, for at least three years. Id. at *1-*2.

The Middle District of North Carolina further ordered that the Plaintiffs’ counsels’ request for $150,000.00 in additional attorneys’ fees was reasonable. Id. at *4.