Skip to content

Farrer & Co | Data breaches just got a lot more worrying for employers

Last week, the Court of Appeal handed down judgment in the case of Wm Morrisons Supermarkets plc v Various claimants, upholding the High Court’s decision that Morrisons was vicariously liable for the misuse of data by a rogue employee. 

The decision is a significant blow for employers, since it demonstrates how they can be held liable for data breaches outside of their control or responsibility, making it hard for organisations to know what to do to guard against this sort of situation.  In a post-GDPR world, where people have an increased awareness of their data protection rights, it has the potential to leave employers vulnerable to the acts of disaffected employees. 

The judgment contained several important points to note for employers:

  1. An employer can be held vicariously liable for an employee’s data breach, even if they have done as much as they reasonably can to avoid any such breach.
  1. The motive of the employee is irrelevant.  In this case, the employee’s intention in leaking the data was to cause reputational or financial damage to Morrisons.  The High Court was troubled by the fact that imposing vicarious liability on Morrisons in these circumstances effectively furthered the employee’s criminal aims.  The Court of Appeal had no such qualms and confirmed the irrelevance of motive in vicarious liability.
  1. The employee’s actions do not have to be done in the workplace for the employer to be held to be vicariously liable, provided there is a "seamless and continuous sequence" or "unbroken chain" of events between the employee’s employment and their actions  (it was found there was such an unbroken chain in this case, notwithstanding the fact that “the harm was done by Mr Skelton at his home, using his own computer, on a Sunday, several weeks after he had downloaded the data at work onto his personal USB stick”).
  1. Although no decision has been made as to the amount of compensation Morrisons will have to pay, the Court of Appeal acknowledged that data breaches of this sort have the potential to lead to a large number of claims against companies for “potentially ruinous amounts”.  The Court’s solution to this is for companies to take out insurance against the risk. 

Morrisons has said that it will appeal to the Supreme Court, so this may not be the last we hear on this case.

For the facts of this case, as well as a discussion of the implications and the lessons which can be learnt from it, see Amy Wren’s summary of the High Court’s decision.

This site uses cookies to help us manage and improve the website and to analyse how visitors use our site. By continuing to use the website, you are agreeing to our use of cookies. For further information about cookies, including about how to change your browser settings to no longer accept cookies, please view our Cookie Policy. Click for more info