Cyber claims: Morrisons and the enemy within

United Kingdom

In Wm Morrisons Supermarket PLC v Various Claimants [2018] EWCA Civ 2339, the Court of Appeal has held that an employer can be vicariously liable to multiple claimants for a mass data breach committed by a rogue employee. It is the first successful class action arising from such a breach.


A senior internal IT auditor employed by Morrisons copied the payroll data pertaining to almost 100,000 employees onto his own USB drive. The data included sensitive personal data. The employee subsequently uploaded the data onto a file sharing site and told three newspapers that the personal data had been made available on the web. Having been alerted to the data breach, Morrisons swiftly took steps to ensure the takedown of the website and alerted the police. The employee was charged with fraud and offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (“the DPA”). He was sentenced to a term of eight years’ imprisonment.

This claim involved a class action by over 5,000 Morrisons employees whose data had been disclosed in the breach. The claimants sought compensation against Morrisons for:

  1. Breach of statutory duty under the DPA;
  2. Breach of the common law tort of misuse of private information; and
  3. An equitable claim for breach of confidence.

The claimants submitted that Morrisons should be found primarily liable under each of the three heads, or failing which, that Morrisons were at least vicariously liable.

The High Court

The High Court rejected the claims that Morrisons bore primary liability for the breach under all three heads of claim.

On the question of vicarious liability, the court concluded that there was a sufficient connection between the position in which the employee was employed and his wrongful conduct to impose vicarious liability. The employee had been entrusted with the position of handling and disclosing personal data to the company’s external auditors.

The Court of Appeal

On appeal, Morrisons submitted that:

  1. The DPA excluded the application of vicarious liability;
  2. The DPA excluded the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same; and
  3. The wrongful acts of the employee did not occur during the course of his employment, and therefore Morrisons was not vicariously liable for those wrongful acts.

On the first two grounds, the Court of Appeal held that the statutory regime imposed by the DPA did not exclude either the application of vicarious liability or the causes of action for misuse of private information and breach of confidence. The common law remedies were not incompatible with the statutory scheme, and so it could not be said that Parliament had not intended them to coexist. There was no express exclusion of the common law remedies and no specific provision in the DPA addressing these particular circumstances. Moreover, an exclusion of vicarious liability would be inconsistent with the objectives of the DPA, namely the protection of privacy and the provision of an effective remedy for its infringement.

The Court of Appeal also upheld the High Court’s findings on the third ground of appeal, namely that vicarious liability attached. Morrisons submitted that the employee’s acts were disconnected from his employment: they took place at home, using his personal computer, on a non-working day and several weeks after he had downloaded the data. However, the Court of Appeal held that they were “within the field of activities assigned to the employee”. There was an “unbroken thread that linked the employee’s work to the disclosure: what happened was a seamless and continuous sequence of events”.

To the Supreme Court?

Morrisons has indicated its intention to appeal the decision to the UK Supreme Court. As matters stand, however, the ramifications are significant: employers are potentially exposed to mass data breach claims caused by the actions of rogue employees.


This case marks the UK’s first successful class action taken in respect of a breach of data protection laws. The decision was made under the old data protection regime, namely the DPA. In an era where cyber breaches are a virtual inevitability, and there is a stricter regime imposed on data controllers by the EU’s General Data Protection Regulation, class actions arising from data breaches are not going away. And they are only getting bigger: the recent High Court case of Lloyd v Google LLC [2018] EWHC 2599 (QB) could have seen a pay-out of £3 billion to some 4.4 million Claimants, had the court not ruled in favour of Google.

Both the Court of Appeal and High Court recognised that Morrisons could not have realistically prevented the employee from committing the breach. Yet both courts were content that Morrisons should be vicariously liable, citing the availability of insurance against the risks. It is therefore imperative for businesses to ensure they have adequate insurance in place to cover the potentially large exposures arising from these claims.

Co-authored by Jordan Rhodes.