The Supreme Court in England has two issues to consider in the appeal which opens today.

First, should the company be held to be vicariously liable for the acts of its employee in this case? It concerns, after all, a rogue employee, who took payroll data with which he was entrusted home on a USB stick and uploaded it onto a file sharing website. The company was a victim; the employee motivated by a grudge against it. He was convicted of crimes and sentenced to 8 years imprisonment. If the answer to this question is yes, business says it places a huge burden on it, at a time when the cyber incident insurance market is still developing. What are the consequences in practice for how business should monitor and carry out surveillance of employees? Should employers never let employees handle special types of personal data alone? Should employers monitor employees’ laptops routinely, or only if they suspect misuse of personal data?

The second issue is the extent to which data protection law “owns” the field in terms of remedies. Can claimants rely on other causes of action in data breach cases? Does the Data Protection Act 1998 prevent the application of vicarious liability to a breach of the Act?  Does it exclude the application of the tort of misuse of private information or the equitable doctrine of breach of confidence to breaches of that Act?

If the claim against Morrisons is ultimately successful, there will be a further hearing to consider the quantum of damages, and the all-important question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.

Andrew Moir, head of Herbert Smith Freehills’ global cyber security practice commented: “If the Court of Appeal’s decision stands it will likely pave the way for future data breach related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable”.

The judges hearing the case are: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones.

Kate Macmillan, a consultant in our cyber security team, is attending the Supreme Court today and will be reporting live on the submissions.  You can follow her updates here.

Click here to read our data teams post on the Court of Appeal judgment in this case.


Andrew Moir
Andrew Moir
Partner and Global Head of Cyber Security, London
+44 20 7466 2773
Miriam Everett
Miriam Everett
Partner and Head of Data Protection and Privacy, London
+44 20 7466 2378
Tim Smith
Tim Smith
Pensions Professional Support Lawyer, London
+44 20 7466 2542









Recent posts

Podcast: Pensions de-risking EP3: What is a ‘residual risks’ buy-out and how should schemes prepare?

Pension Schemes Bill (Part 1) – Directors, banks and investors put on notice as new criminal sanctions and regulatory powers are significantly wider than expected

Pension disputes bulletin – October 2019