Supreme Court: liability for employee’s data breach

Finally members will have seen that the Supreme Court in April 2020 in WM Morrisons v Various Claimants sided with Morrisons holding (contrary to the previous finding of the Court of Appeal) that the supermarket was not vicariously liable for a massive data breach which was committed deliberately by an unhappy employee.

In the case the disgruntled employee posted personal data of over 100,000 staff online and despite the employee receiving a substantial jail sentence, thousands of employees subsequently brought a group action against the supermarket for compensation.

Members may remember the previous case, which caused considerable concern for employers as, despite the fact that the data breach had been committed deliberately by the employee, it found Morrisons to be vicariously liable in respect of that data breach. The Supreme Court was critical of the Court of Appeal in misunderstanding some of the principles of vicarious liability effectively finding he was on “a frolic of his own” (to quote the classic legal phrase) and there was not a significant connection between his work and his wrongful malicious conduct.


Although the case is welcome news for employers, as with any case it is dependent on the facts and there is still a high risk of a claim under the Data Protection Act/GDPR for any data breach by an employer.