April 2, 2020

UK Supreme Court Says Employer Not Vicariously Liable for Employee’s Data Protection Breach

Good news for employers who can take some comfort in the UK Supreme Court’s judgment – in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 – which held that Morrisons was not liable for the actions of a rogue employee who uploaded personal data of almost 100,000 employees to a website to seek vengeance against his employer. The case was brought in connection with the Data Protection Act 1998, but the decision remains relevant under the new legislation.

Ruling On Data Privacy Liabilities

In this case, an employee of Morrisons was tasked with transferring payroll data to an external auditor. The dataset contained the details of 98,998 employees. Having received a warning for misconduct, he used this task as an opportunity to make a personal copy of the personal data and upload it to a publicly accessible website. The employee then anonymously sent CDs containing the file to three newspapers, alleging to be a concerned member of the public. The newspapers did not publish the data, and instead alerted Morrisons to the data breach. Morrisons took active steps to remove the data and minimise the breach. Nonetheless, approximately 9,000 of Morrison’s affected employees brought a claim against Morrisons and sued for damages in respect of alleged distress, anxiety, upset and damage.

The High Court and Court of Appeal held that Morrisons was vicariously liable for the employee’s breach as his actions were closely connected to the role and task he had been entrusted and his wrongdoing was therefore not enough to break the chain of causation.

The Supreme Court, however, disagreed. The Supreme Court stated that the mere fact the employee’s role gave him opportunity to commit the wrongful act would not be sufficient to give rise to vicarious liability. The test is whether the wrongful actions of the employee are so closely connected to the tasks entrusted to the employee that those wrongful actions may be regarded as carried out in the ordinary course of employment. Here, the employee was not furthering Morrisons’ business and, instead, was pursuing a personal vendetta and, therefore, Morrisons was held not to be liable for the employee’s actions.


Employers will welcome this ruling, but should also remain vigilant as this decision doesn’t rule out the possibility that a successful claim for a data breach caused by a rogue employee could be brought in the future. The Supreme Court was clear that liability will attach to an employer if the employee’s actions were considered to be closely connected to their role. Also, in this case the lower courts had not found any fault on Morrison’s security measures in connection with the breach, and the case turned solely on the employee’s actions. Had Morrison’s not ensured a sufficient level of security was in place to safeguard its personal data, the outcome could have been quite different. Employers, therefore, need to put in place robust internal measures to help maintain the confidentiality of personal data (including training and explaining the impact of data breaches, not only on the employer but on employees themselves) and ensuring appropriate security for the earliest possible detection of a data leak.

Meet the Team

Goodwin’s key GDPR team members include Gretchen ScottCurtis McCluskey, Federica De Santis and Jackie Klosek.

Goodwin’s Chambers and Legal 500 ranked Data, Privacy and Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include a former Chief Privacy Officer of the U.S. Department of Homeland Security in the Obama Administration and Legal 500 Recommended Lawyer; a Legal 500 “Leading Lawyer;” and a “Next Generation Lawyer” in Cyber Law and Data Breach Response, as well as three other; Legal 500 Cyber Law ranked partners; several former federal prosecutors; and multiple GDPR, CCPA, FTC, HIPAA, and COPPA experts. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.