Skip to content

Farrer & Co | Ruling significantly increases organisations' exposure to data breach claims

A High Court ruling has determined that Morrisons Supermarkets is vicariously liable for a data breach maliciously committed by a disgruntled employee.

The case is significant for a number of reasons:

  • It is the first time that an employer has been held vicariously liable in such circumstances;
  • It did not matter that Morrisons had discharged their obligations to take all necessary steps to prevent the breach;
  • Data breaches committed by employees are reasonably common. Once the EU General Data Protection Regulation (GDPR) takes effect in May 2018, breaches like this will have to be reported to the affected individuals (and to the Information Commissioner). It had been thought that compliance with accepted data security standards would offer a defence to any subsequent claims by the affected individuals. This no longer appears to be the case. In effect, we have gone from a negligence standard towards one more akin to strict liability;
  • It raises questions about the extent to which insurance cover for data breaches, and the consequences arising from them, is in place or available in such circumstances.

Ian De Freitas and David Morgan consider the case and its implications in more detail in the article linked here.

If you require further information on anything covered in this briefing please contact Ian De Freitas or David Morgan or your usual contact at the firm on 020 3375 7000.

This publication is a general summary. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, December 2017

This site uses cookies to help us manage and improve the website and to analyse how visitors use our site. By continuing to use the website, you are agreeing to our use of cookies. For further information about cookies, including about how to change your browser settings to no longer accept cookies, please view our Cookie Policy. Click for more info