The UK Supreme Court has granted supermarket chain Morrisons permission to appeal against a landmark UK Court of Appeal ruling that found it vicariously liable for a data breach by a former employee (previously discussed here).

Mr Skelton, an internal auditor at Morrisons, maliciously disclosed his co-workers’ personal data (including payroll data) on the internet. The UK Court of Appeal found Morrisons vicariously liable for the rogue employee’s actions, even though the data breach was deliberately targeted at harming Morrisons. In a class action suit, over 5,500 employees sued Morrisons for compensation for loss caused by the data breach, including non-pecuniary loss such as distress.

The Court of Appeal acknowledged that data breaches caused by individuals acting in the course of their employment may lead to a large number of claims against companies for “potentially ruinous amounts” but that the solution is to insure against such catastrophes. However, it remains to be seen whether insurance companies can accurately price such risks. In addition, it is unclear whether insurance coverage for court-awarded or regulatory fines for data breaches would be enforceable. Whilst there is nothing in the GDPR permitting or prohibiting such insurance, there is a risk it may be unenforceable on public policy grounds.

The appeal will be watched closely by employers and legal practitioners in Ireland, as the UK Supreme Court’s decision on the scope of an employers’ vicarious liability for data breaches may be of persuasive authority to the Irish courts. No date has yet been given for the appeal hearing.