Norton Rose Fulbright - Data Protection Report blog

In a judgment which will be warmly welcomed by employers (and their insurers) in the UK, the UK Supreme Court today overruled the Court of Appeal in holding that that Morrisons supermarkets is not vicariously liable for a data breach maliciously caused by a former employee.

The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.

The key issue before the Supreme Court was whether the “close connection” test developed in previous case law was satisfied, and therefore whether vicarious liability could be imposed on Morrisons.  The Supreme Court found that this was not the case, for the following reasons:

  1. The employee’s actions in causing the data breach were not within the “field of activities” of the employee.  This meant that his actions were not so closely connected with that task that they can fairly and properly be regarded as made by him while acting in the ordinary course of his employment;
  2. A temporal and/or causal link is not enough.  The fact that his employment gave the employee the opportunity to commit the data breach is not sufficient to warrant the imposition of vicarious liability; and
  3. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta (as was the case here – the employee’s motivation in committing the data breach was to harm his employer, not to further its business). The employee’s motive is therefore relevant in that analysis.

This decision sets aside a significant liability risk which had arisen following the previous decisions in the case. In addition, the Court of Appeal’s comment that companies should simply obtain insurance to cover this liability risk will no longer be troubling for the insurance market.

The Supreme Court’s decision largely puts an end to a paradoxical situation that had arisen – specifically that in making findings of vicarious liability against employers in circumstances where an employee was looking to harm their employer by causing a data breach, the courts could in some circumstances be furthering the malicious aims of that employee.

All that said, it is important to note that the judgment does not set aside the possibility of employers being found vicariously liable in the data breach context per se. The Supreme Court was not persuaded by Morrisons’ arguments that the Data Protection Act 1998 (and by implication, its successor legislation in the form of the Data Protection Act 2018 and the EU General Data Protection Regulation) exclude vicarious liability for statutory and common law wrongs in the data breach context. What this means is that if an employee did satisfy the “close connection” test when they caused a data breach, vicarious liability on the part of the employer remains a possibility.