Morrisons Granted Permission for Supreme Court Appeal Over D

Morrisons Granted Permission for Supreme Court Appeal Over Data Breach Ruling

In October 2018, the Court of Appeal upheld a previous High Court decision that Morrisons was vicariously liable for a data breach by a disgruntled employee in 2014. The Supreme Court recently granted Morrisons permission to appeal the decision to the highest court in England and Wales. Responding to that development, Tim Smith, Partner and head of TMT and Cyber at BLM, explores the potential impact of the decision.

The underlying decision (that Morrisons was vicariously liable for the data leak) came as a significant blow to Morrisons, whose procedures, processes and systems were found to be sufficiently good that they avoided primary/direct liability for the breach. With the case hinging on the finding of vicarious liability and with over 5000 claimants waiting in the wings it is no surprise that Morrisons took the case to the Court of Appeal. However, the Court of Appeal quickly and robustly upheld the original decision, paving the way for a trial on quantum to proceed.

The Court of Appeal accepted that the outcome was tough on innocent employers but the bottom line, as far as the Court of Appeal seemed to be concerned, was that this is what vicarious liability was all about and that it would be even tougher on innocent victims if vicarious liability did not exist/were not imposed. Whilst personal injury lawyers may have found the judgment unsurprising it was, in fact, a very new experience for vicarious liability to play such a significant role in a technology/media claim.

Supreme Court Appeal

There seemed to be a real prospect that, given the High Court and Court of Appeal decisions and the substantial body of case law dealing with vicarious liability, the Supreme Court would have decided that Morrisons had reached the end of the line and that a further appeal was unnecessary. However, Morrisons will be pleased to have another chance to persuade the court to find that it is not liable for the breach.

Nonetheless there remains an extensive list of authorities imposing vicarious liability on innocent employers in a range of situations from everything from theft to sexual abuse. Given the wealth of case law dealing with vicarious liability and what seems to be a clear direction of travel to make employers liable, Morrisons may therefore face an uphill struggle.

Going forward, vicarious liability is set to prove an issue for businesses of all sizes, with this case proving data protection is no exception. Whilst the case was decided under the Data Protection Act 1998, the GDPR and the new Data Protection Act 2018 are likely to only increase the prospects of group actions being pursued in the event of a breach.

Going forward, vicarious liability is set to prove an issue for businesses of all sizes, with this case proving data protection is no exception.

Many businesses and their insurers will be keeping a close eye on this case. If the decision is upheld then the risk to businesses (and the need to manage that risk) will be significantly increased and further claims will undoubtedly follow. If the decision is overturned this will represent an obstacle to the expansion of the application of vicarious liability and will also raise the question of how victims in such cases will be able to secure compensation. Regardless of which way judgment eventually falls, the final decision is set to prove a definitive and landmark ruling.

Litigation & ADRMost Recent
By Lawyer Monthly 0
Oliver Sullivan

Hi, I'm Oliver, the Editor for our Online Content. Feel free to email me at editorial.dept@lawyer-monthly.com if you have any questions or interesting content to send over!

You might also like More from author
Leave A Reply