The Supreme Court has granted Morrisons permission to appeal against the Court of Appeal’s ruling, which found that the supermarket chain was vicariously liable for a former employee’s data breach (previously discussed here). The breach led to the payroll data of around 100,000 staff being posted online in 2014. In reaching its decision, the Court of Appeal considered the risks faced by affected staff and whether the handling of personal data fell within the scope of the employee’s role. Morrisons contended that it had done as much as it reasonably could to prevent the data breach. However, the Court of Appeal unanimously dismissed its appeal and took the view that the former employee’s tortious acts were within the field of activities assigned to him by Morrisons.
The Supreme Court will consider, among other questions: a) whether the doctrine of vicarious liability is excluded in data protection cases; and b) whether the Court of Appeal’s conclusion that the employee was acting in the course of his employment when he leaked the data was incorrect.
As this is the first UK class action case that has been brought in response to a data breach, the Supreme Court’s decision will hopefully provide employers with some clarity on the application of vicarious liability in the context of data protection legislation. Many organisations currently fear that the decision could give rise to a surge in data breach class action claims in the UK. To avoid losses caused by dishonest or malicious employees, the Court of Appeal advised employers to consider insurance as a solution. It remains to be seen how effective such policies are in limiting an employer’s exposure when faced with a significant class action and insurance could become a costly option. As a preventative measure, employers should also regularly review and secure their IT systems to ensure they are not vulnerable to data protection breaches caused by third parties such as former employees.