HR · 23 October 2018

What does the Morrisons data breach mean for small businesses?

Morrisons employees brought a claim against the company after a staff member stole private data

Yesterday, Morrisons lost its challenge to a High Court ruling that it is liable for a data breach that saw thousands of its employees’ details posted online.

The Court of Appeal upheld the original decision against the supermarket, issued in December 2017.

Workers brought a claim against the company after an employee stole data, including salary and bank details, of nearly 100,000 staff.

When are employers liable for a data breach?

Employers can be vicariously liable for the acts carried out by their employees in the course of their employment. This means the employer will be held responsible and will have to pay compensation to those who have suffered loss or damage as a result of their employees’ acts, even if they haven’t expressly authorised the employee to carry out the particular act.

Whether the employee is acting in the course of the employment is examined broadly, by assessing whether there is a close connection between their field of activities and the wrongful act.

Most read HR stories:

Notably, in this case, the Court of Appeal have highlighted that vicarious liability can be established regardless of the motives of the person doing the wrongdoing, so long as they were acting in the course of their employment. This means that even if the individual’s intention is to harm their employer, the employer can still face liability as a result.

In practice, employers can reduce the risk of being found vicariously liable for an employee’s data breach by taking all reasonable steps to avoid this action occurring within the workplace.

Having a data protection policy in place which outlines acceptable employee behaviour is key.

This can inform employees what processes and procedures are in place within the business to protect personal data, such as internal monitoring of email and internet activity, and can set out forms of acceptable and unacceptable behaviour, such as prohibiting the downloading or sending of data to personal devices or email accounts.

Employers can monitor employee activity in line with this policy, and any internet and email policy, to detect where there is a risk of a data breach. Proactive action can then be taken to prevent the data breach occurring, and avoid the risk of being found liable for this breach. 

As well as vicarious liability for the data breach, since the introduction of the General Data Protection Regulation (GDPR) in May 2018, employers who suffer a personal data leak could find themselves liable for a costly penalty fine.

Kate Palmer is associate director at Peninsula HR

Sign up to our newsletter to get the latest from Business Advice.



Kate Palmer CIPD is the head of advisory at law firm Peninsula and is a member of its senior leadership team. She joined in 2009 having held a senior HR manager's role in another large company. With a specialist background in facilities management in the NHS, Kate offers a wealth of employment law experience. She's an expert negotiator - one notable case was with the NHS's trade unions over terms and conditions in the Agenda for Change pay system.