Research On Criminal Liability Of Tech Providers In Cases Of Data Breaches
1. Wm Morrisons Supermarket plc v. Skelton (UK, 2020)
Facts:
An employee of Morrisons, a payroll IT auditor, deliberately copied payroll data of 100,000 employees and leaked it online. The leak exposed names, addresses, bank account details, and national insurance numbers.
Legal Issues:
Could Morrisons, the employer, be held vicariously liable for the employee’s criminal actions?
What is the employer’s duty to prevent data breaches?
Outcome:
The employee was criminally prosecuted under the Computer Misuse Act 1990 and sentenced to eight years.
The UK Supreme Court ruled Morrisons was not vicariously liable because the employee’s actions were not in the course of employment—they were personal revenge acts.
Significance:
Employers are not automatically liable for rogue employee actions if the actions are outside job duties.
Tech providers must still implement robust security measures to mitigate risks and demonstrate “reasonable precautions.”
2. TalkTalk Telecom Group plc (UK, 2015)
Facts:
Hackers exploited vulnerabilities in TalkTalk’s website, stealing personal and financial data of nearly 157,000 customers.
Legal Issues:
Was the company criminally or regulatorily liable for failing to implement adequate cybersecurity?
Outcome:
TalkTalk was fined £400,000 by the UK Information Commissioner’s Office for failing to secure customer data.
Although this was a regulatory fine rather than criminal prosecution, it highlighted the company’s legal exposure for negligence.
Significance:
Even if no employee acts are malicious, failure to maintain cybersecurity can trigger civil, regulatory, and potentially criminal liability in some jurisdictions.
Tech providers must comply with industry-standard security practices to reduce liability.
3. Indian Case – Data Disclosure Under IT Act (Section 72A, 2018)
Facts:
A company handling sensitive personal data shared user data with third parties without consent.
Legal Issues:
Did the company violate Section 72A of the Information Technology Act, which criminalizes unlawful disclosure of personal data?
Outcome:
Courts held that unlawful disclosure with knowledge or intent constitutes a criminal offence, punishable with imprisonment up to three years or fines.
Significance:
Tech providers in India are legally obliged to implement “reasonable security practices” and ensure no unauthorized disclosure occurs.
Criminal liability arises not just from breaches, but from deliberate or negligent exposure of personal data.
4. Bridlington Lodge Care Home (UK, 2025)
Facts:
The director of a care home deliberately concealed or destroyed personal data in response to a valid Data Subject Access Request under the UK Data Protection Act 2018.
Legal Issues:
Obstruction of a data subject’s rights is considered a criminal offence under Section 173 of DPA 2018.
Outcome:
The director was successfully prosecuted for obstructing access.
This case emphasizes that criminal liability can arise not just from external breaches but also from internal mishandling of data requests.
Significance:
Tech providers must have procedures to honor data subject rights.
Concealment or destruction of personal data can lead to criminal liability, even without a hacker attack.
5. UK – Individual Liability for Unauthorized Access (Luke Coleman Case, 2025)
Facts:
An employee of a telecom company accessed and disclosed customer data without authorization.
Legal Issues:
Does criminal liability apply to individuals under the Data Protection Act 2018?
Outcome:
The employee was fined for unlawfully obtaining and disclosing personal data.
Demonstrates that individual employees can be held criminally liable, not just the company.
Significance:
Tech providers must monitor employee access, enforce strict internal controls, and implement audits to prevent misuse.
6. Hypothetical Indian Data Breach Case
Facts:
A platform storing sensitive financial data failed to encrypt the data properly, leading to unauthorized access by hackers.
Legal Issues:
Was the company criminally liable for negligence under IT Act Section 43A (civil liability) and Section 72A (criminal liability)?
Outcome:
The company faced fines and orders to implement proper security measures.
In cases where negligence leads to exposure of personal or sensitive data, criminal liability can follow if intent or knowledge of unsafe practices is established.
Significance:
Highlights the dual nature of liability in India: civil for negligence and criminal for unlawful disclosure.
Tech providers must proactively maintain security protocols and demonstrate compliance.
Key Takeaways Across Cases
Vicarious liability is limited – Employers/providers are not automatically liable for rogue employee acts outside the scope of employment (Morrisons).
Negligence can trigger liability – Failure to implement reasonable security practices can lead to civil/regulatory fines and, in some cases, criminal liability (TalkTalk, Indian IT Act cases).
Employee accountability matters – Unauthorized access or disclosure by individuals can lead to personal criminal liability (Luke Coleman case).
Data subject rights must be respected – Concealing, destroying, or obstructing access to personal data is a criminal offence (Bridlington Lodge case).
Global perspective – Both India and the UK recognize criminal exposure for tech providers or their employees in data breach scenarios, though thresholds differ (intent, negligence, or recklessness).
RELATED Blog
comments