Security News > 2020 > April > At the Supreme Court, Morrisons pops data breach liability win into its trolley – but it's not a get-out-of-compo free card for businesses

Morrisons supermarket is not liable for the actions of a disgruntled employee who deliberately leaked nearly 100,000 employees' payroll data online, Britain's Supreme Court has ruled.

Supreme Court judge Lord Reed ruled: "First, the disclosure of the data on the internet did not form part of Skelton's functions or field of activities," also decreeing that previous findings by the High Court and Court of Appeal were mistaken in law.

In a case concerned with vicarious liability arising out of a relationship of employment, the court generally has to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

Nick McAleenan, lead solicitor for the employees, commented: "For the first time, the Supreme Court has established the legal principle that employers can now be legally responsible for data breaches caused by their employees - under the law of vicarious liability."

In contrast, Matthew Gill of law firm Wiggin LLP opined: "If the court's decision had gone the other way, Morrisons would have been liable to 100,000 of its employees for a breach of their data despite Morrisons having done everything it reasonably could have to protect that data. Other employers would have faced an untenable risk that if they were hit by a similar theft of data by an employee, they would be left wholly exposed."

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/01/morrisons_wins_data_breach_vicarious_liability_supreme_court/