Print Article

Good news for employers, or is it? – the UK Supreme Court hands down judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)


Quick read and listen

  1. The UK Supreme Court [April 1st 2020] overruled the Court of Appeal in holding that that Morrisons supermarkets are not vicariously liable for a data breach maliciously caused by a former employee.
  2. The Supreme Court concluded that the Court of Appeal had misunderstood the principles governing vicarious liability in their previous judgments in the case.
  3. Listen to the reasons for the decision -

Read an analysis here

  1. The critical issue before the Supreme Court was
    1. whether the “close connection” test developed in previous case law was satisfied, and
    2. therefore whether vicarious liability could be imposed on Morrisons.
  2. The Supreme Court found that this was not the case, for the following reasons:
    1. Field of activities of the employee?
      1. The employee’s actions in causing the data breach were not within the “field of activities” of the employee.
      2. This meant that his actions were not so closely connected with that task that they can fairly and properly be regarded as made by him while acting in the ordinary course of his employment;
    2. A temporal and/or causal link is not enough.
      1. The fact that his employment gave the employee the opportunity to commit the data breach is not sufficient to warrant the imposition of vicarious liability; and
    3. An employee’s motive is relevant.
      1. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta (as was the case here – the employee’s motivation in committing the data breach was to harm his employer, not to further its business).
      2. The employee’s motive is, therefore, relevant in that analysis.
    4. The decision
      1. This decision sets aside a significant liability risk which had arisen following the previous decisions in the case.
      2. In addition, the Court of Appeal’s comment that companies should simply obtain insurance to cover this liability risk will no longer be troubling for the insurance market.
      3. The Supreme Court’s decision largely puts an end to a paradoxical situation that had arisen – specifically that in making findings of vicarious liability against employers in circumstances where an employee was looking to harm their employer by causing a data breach, the courts could in some circumstances be furthering the malicious aims of that employee.
    5. Vicarious liability The Supreme Court was not persuaded by Morrisons’ arguments
      1. It is important to note that the judgment does not set aside the possibility of employers being found vicariously liable in the data breach context per se.
      2. The Supreme Court was not persuaded by Morrisons’ arguments that the Data Protection Act 1998 (and by implication, its successor legislation in the form of the Data Protection Act 2018 and the EU General Data Protection Regulation) exclude vicarious liability for statutory and common law wrongs in the data breach context.
      3. What this means is that if an employee did satisfy the “close connection” test (see above) when they caused a data breach, vicarious liability on the part of the employer remains a possibility.

Souced from –


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email