Legal Business Blogs

Supreme Court rules in favour of Morrisons in landmark data breach case

In a significant move for the future of large data breach and privacy cases, Morrisons Supermarkets has successfully defeated a group litigation claim following a decision by the Supreme Court this morning (1 April).

The case centres on whether a company can be held vicariously liable for the actions of a single employee, after thousands of members of staff found their personal information disclosed on the internet by a rogue employee in the company’s audit team.

In October 2018, the Court of Appeal upheld the High Court’s decision that Morrisons was vicariously liable, with the implication that an organisation can be responsible for data breaches even if it has taken measures to comply with data protection legislation. However, The Supreme Court has reversed this decision unanimously, with Lord Reed giving judgement. The court reasoned that ‘the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects’ stating that ‘no vicarious liability arises in the present case.’ Had Morrisons failed in its appeal, it could have faced a bill of at least £10m in compensation.

‘It’s obviously disappointing, the Supreme Court seems to have taken a narrow view of what the wrongdoer has done,’ JMW Solicitors partner Nick McAleenan, who was representing the group of claimants, told Legal Business. ‘There are parts of the case we won; vicarious liability is now available to data breach cases. It was a re-run of the previous stages. Wrongdoer motive is usually irrelevant in vicarious liability cases, but the Supreme Court said the motive of the wrongdoer was relevant.

‘Vicarious liability can still apply but it won’t in cases where the employee has a vendetta against their employer,’ noted McAleenan.

However, Greg Woods, employment and public liability partner at Kennedys, welcomed the decision: ‘Morrisons, or rather their insurers, could have faced a bill of at least £10 million in compensation if they had had failed in their attempt to overturn this judgment and it would have represented a disturbing extension in the law of vicarious liability. However, despite Morrisons winning this case, it should still serve as a wake-up call to businesses to have robust data protection policies in place to ensure, so far as possible, they are not victims of a similar breach.’

Nicola Fulford, privacy and cybersecurity partner at Hogan Lovells, said: ‘The Supreme Court’s decision will be welcomed by companies, as they now know they are unlikely to be liable for damages following the deliberate act of a rogue employee where the disclosure is not within the “field of activities” assigned to that employee.

‘However, the Court did go on to indicate that employers may, in principle, still be vicariously liable for breaches of data protection legislation where their employees are data controllers in their own right. Companies must continue to ensure their systems and processes for securing their data are robust, even more so given the increased risks of breaches we are seeing during the COVID-19 pandemic,’ Fulford concluded.

DWF’s Andrew Harris acted for Morrisons, with Blackstone Chambers’ Lord Pannick QC and 11KBW’s Anya Proops QC instructed. McAleenan instructed 5RB’s Jonathan Barnes and Victoria Jolliffe.