Morrisons - data breach case

We have reported previously on the case involving Morrisons supermarket regarding the actions of a rogue employee. The legal case involved the principle of vicarious liability. This is liability which is imposed on employers for the actions of their errant employees. In general terms, an employer can be held liable for the action of an employee who is carrying out their work-related duties.

In the recent case, a disgruntled Morrisons employee downloaded the personnel files of some 125,000 employees and uploaded it onto an Internet filesharing site. The sharing of the data was timed to coincide with the release of Morrison's annual financial results in the hope of damaging the company's public image. Subsequently the employee was imprisoned. Over 9000 employees of Morrisons sued the company arguing that Morrisons was vicariously liable for the acts of the employee. The Court of Appeal held that Morrisons was liable on the basis that the wrongful act in sending the data to 3rd parties was within the field of activities assigned to the employee by Morrisons.

The Supreme Court has reversed the Court of Appeal decision. The Supreme Court held that the disclosure of the data on the Internet did not form part of the employee's functions or field of activities assigned to it by Morrisons and thus the Court of Appeal was mistaken in law on this point. The fact that the employee had leaked the data of his own volition was not sufficiently closely connected to his job for vicarious liability to apply.

Thus, for the 9000 employees, Morrisons is not liable to pay compensation to them.  Importantly for employers, however, the wider principle which the case has established is that companies can be held vicariously liable for employees' actions which result in a data breach.

The case is thus an important reminder that at all times, employers must have robust data control measures in place, they should carefully consider who is entitled to hold and have access to personal data and should only provide access to personal data where it is necessary for that employee to fulfil their role. As we regularly point out, policies and procedures should be carefully reviewed and regular training on the importance of data protection obligations should be carried out.

To discuss this or any other employment related issue, contact us.