Court of Appeal upholds vicarious liability claim in data breach class action

WM Morrison Supermarkets PLC v Various Claimants [22.10.18]

The Court of Appeal upholds the High Court’s decision to hold Morrison Supermarkets (Morrisons) vicariously liable for the criminal actions of its employee in posting almost 100,000 of its employees’ personal data on the web.

First instance decision

We have previously commented upon the first instance decision where the High Court found that Morrisons was not in breach of its primary duties under the Data Protection Act 1998 (DPA) but that it was vicariously liable for the actions of its employee, even though it appeared that those actions appeared designed to harm the company.

The Judge found that the employee was in breach of both his DPA and common law duties and that Morrisons’ vicarious liability extended to both.

Read our full article here.


Morrisons raised three grounds of appeal.

1. That the DPA excludes the application of vicarious liability for breaches of the DPA.

The Court of Appeal decided that the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee had not been excluded by the DPA.

2. That the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for such breaches.

Morrisons conceded in argument that the tort of misuse of private information and the cause of action for breach of confidence in relation to the processing of personal data was not excluded by the DPA. Instead it was submitted that this exclusion only applied to vicarious liability for those torts. The Court of Appeal was unwilling to accept this argument.

If Morrisons were correct on those two points then, in its submission, there would be no scope for vicarious liability at all.

3. That the wrongful acts of Mr Skelton did not occur during the course of his employment by Morrisons and therefore Morrisons was not vicariously liable for those wrongful acts.

The Court of Appeal’s decision in the case of Bellman v Northampton Recruitment Ltd [11.10.18] was handed down less than two weeks before the Morrisons judgment. The parties were, therefore, given the chance to make further submissions in light of it. Our review of the Bellman case can read here.

The Court of Appeal had little difficulty in accepting that the tortious acts of the Morrisons’ employee in sending the claimants' data to third parties were within the field of activities assigned to him by Morrisons and that this was the relevant test when considering vicarious liability, despite the intentions behind those acts - which is what had troubled the Judge at first instance.

The Court of Appeal went on to say:

There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward …on behalf of Morrisons.


The Court of Appeal has reaffirmed the approach taken in recent vicarious liability cases which, in fact, present more extreme scenarios of companies being held liable for the actions of their employees and confirmed that this applies to cases under the DPA.

It is interesting to note that the court is alive to the potentially significant cost to the companies who might be affected by such actions of their employees - even if those actions are malicious - but sees that the solution to this is insurance.

The decision will be considered carefully by liability insurers. There is bound to be considerable scrutiny on the imposition of vicarious liability given the particular facts of the case and Morrisons have already confirmed that they will seek leave to appeal to the Supreme Court.

More generally, however, the Court of Appeal’s reference to insurance puts in focus another important trend. A range of widely available insurance covers now potentially respond to liabilities arising from the infringement of data security and privacy rights. This includes under extensions to general liability covers that have become increasingly common in recent years. Court decisions like this one should increase corporate awareness of the desirability of having cover for data breach liabilities. They will also bring into even closer focus for insurers a range of coverage issues about where such exposures are being insured.

Related items: