The Supreme Court has given Morrisons permission to appeal against a finding that the supermarket is vicariously liable for a data breach caused by a discontented former employee.
As we reported in November 2018 (see Data Leaks and Employer Liability), in a claim for data theft brought by a group of 5,518 Morrisons’ employees, the Court of Appeal held that Morrisons was vicariously liable for the criminal actions of a rogue employee who publically released personal data about Morrisons’ staff. That decision was reached despite the fact the court also found that Morrisons had taken what the court considered to have been appropriate steps to mitigate the risk of such actions. The Court of Appeal also notably refused permission to appeal, requiring Morrisons to apply directly to the Supreme Court.
This case is of particular significance to companies in possession of large amounts of personal data, given that it confirms the concept of vicarious liability will apply to instances of data breach. Indeed, the Court of Appeal itself recognised that its decision may “open the floodgates” and lead to a large number of claims being brought against employers for data breaches.
The decision to hear the appeal indicates that the Supreme Court is of the view that the appeal would have a real prospect of success or there is some other compelling reason for the appeal to be heard. Although what decision the Supreme Court will reach obviously remains to be seen, what can be said with reasonable certainty is that, whatever the final judgment may be, it will likely have a very significant effect on data protection law in England & Wales.