In a unanimous decision on 1 April 2020, the Supreme Court reversed the Court of Appeal’s decision that found Morrisons vicariously liable for a data breach committed by a rogue employee. The Supreme Court held that the Court of Appeal “misunderstood the principles governing vicarious liability in a number of relevant respects”.
1. Background
As a reminder, the Morrisons data breach was the result of the deliberate and criminal actions of a disaffected former employee – Andrew Skelton. Having exploited his legitimate access to Morrisons’ systems, Mr Skelton stole and unlawfully published the personal data of almost 100,000 Morrisons employees on a file sharing website, then later sent a copy of the same data anonymously to three newspapers. The published data included names, addresses, gender, dates of birth, telephone numbers, national insurance numbers, bank account details and salary details. Once Morrisons was alerted to the breach, it quickly took steps to take down the website and alerted the police. The ICO investigated but ultimately decided that no enforcement action was appropriate at…