HR · 23 October 2018

What does the Morrisons data breach mean for small businesses?

Morrisons employees brought a claim against the company after a staff member stole private data

Yesterday, Morrisons lost its challenge to a High Court ruling that it is liable for a data breach that saw thousands of its employees’ details posted online.

The Court of Appeal upheld the original decision against the supermarket, issued in December 2017.

Workers brought a claim against the company after an employee stole data, including salary and bank details, of nearly 100, 000 staff.

When are employers liable for a data breach?

Employers can be vicariously liable for the acts carried out by their employees in the course of their employment. This means the employer will be held responsible and will have to pay compensation to those who have suffered loss or damage as a result of their employees? acts, even if they havent expressly authorised the employee to carry out the particular act.

Whether the employee is acting in the course of the employment is examined broadly, by assessing whether there is a close connection between their field of activities and the wrongful act.



Kate Palmer CIPD is the head of advisory at law firm Peninsula and is a member of its senior leadership team. She joined in 2009 having held a senior HR manager's role in another large company. With a specialist background in facilities management in the NHS, Kate offers a wealth of employment law experience. She's an expert negotiator - one notable case was with the NHS's trade unions over terms and conditions in the Agenda for Change pay system.

Supply chain