Morrisons v Various Claimants - Vicarious liability: data breach

The Supreme Court has overturned previous rulings, finding that Morrisons were not vicariously liable for the actions of an employee who illegally distributed personal data of nearly 100,000 staff.

Organisations can be liable for acts committed by their employees if it is found that their actions are sufficiently connected to their employment. Since this doctrine was introduced, there have been numerous cases which established this liability.

In Mohamud v Wm Morrison Supermarkets plc, the Supreme Court held that Morrisons were liable for the actions of an employee who assaulted a customer, as there was a close connection between his act and that of his employment. This was because while his conduct was “inexcusable”, it was within the “field of activities” assigned to him.

In Bellman v Northampton Recruitment Ltd, the Court of Appeal also found the organisation was liable when a director assaulted a member of staff whilst they were both out having Christmas drinks. Regardless of the timing and location of the assault, it took place when the individual was exercising his managerial authority over junior employees, including giving members of staff a lecture regarding his authority.


This case concerned an employee who held a grudge against Morrisons after being given a verbal warning for misconduct. He was provided access to payroll data concerning a large number of Morrisons staff so he could distribute it to external auditors. Instead, he copied the data onto a USB stick and posted it online under a colleague’s name. He also sent it to a number of newspapers.

The data included names, addresses, dates of birth, phone numbers, national insurance numbers, bank account details and salary details. Morrisons acted quickly in taking this information down and, following an investigation, the employee was convicted of fraud, securing unauthorised access to computer material and disclosing personal data. He was jailed for eight years in July 2015.

Over 5,500 claimants brought action for compensation against Morrisons claiming they were exposed to the risk of identity theft and financial loss. Morrisons, who had spent £2.26 million dealing with the aftermath of this situation, contested the claim.


The High Court found the leak was not facilitated or authorised by Morrisons and the organisation had adequate and appropriate data controls in place. Regardless of this, the High Court still ruled that Morrisons were vicariously liable for the actions of their employee in leaking the data. In forming their decision, the High Court adopted the ‘broad and evaluative’ approach as outlined in Mohamed, finding there was sufficient connection between the employee’s position and his conduct to give rise to vicarious liability. As such, the claimants could seek compensation awards for the “upset and distress” caused to them by leaking their private data.


Morrisons appealed the High Court's decision, contending that the employee had not carried out the wrongful acts during the course of his employment. The Court, referring to the Bellman judgement, highlighted that vicarious liability is not restricted to acts which occur when the employee is ‘on the job’. As a result, they determined that the act of sending employee data to a third party was within the field of activities assigned to the internal auditor.

The Court did examine Morrisons’ argument that vicarious liability could not be found where the perpetrator's intention was to harm their employer due to the overwhelming burden this would place on innocent employers. However, they found that vicarious liability could be established in acts of deliberate wrongdoing, therefore, it was irrelevant what the motive of the person doing the wrongdoing was, and to whom they were trying to cause harm.


Morrisons appealed against this decision to the Supreme Court, who upheld their appeal. They held that the Court of Appeal had misunderstood how vicarious liability arises and therefore reached the wrong conclusions.

The Court first addressed that there had been misunderstandings since the Mohamed ruling, outlining that the origins of the doctrine of vicarious liability were acts that could be fairly regarded as done by an employee in the course of their employment. It had not been necessary to rely on the motivations of the employee in Mohamed since it was clear on those specific facts that the employee had been acting on the organisation’s business (but unlawfully).

Unlike what the Court of Appeal had concluded, motivation was important in this case as it determined whether the employee had been acting on his own or for Morrisons’ business.  Although there was a temporal link between the employee’s role and his actions, this did not in itself give rise to vicarious liability. His employment had given him the opportunity to commit this act, but he had done so due to his own personal vendetta. The disclosure of this data had also not formed part of his usual duties.

Note for employers

This case suggests that organisations will not always be held liable for the acts of employees under the doctrine of vicarious liability, however this will be very fact specific. Whilst the specific motivation of the employee was considered important here, this may not always be the case. To this end, it is important that organisations are prepared to respond quickly to situations of this nature; all three courts praised Morrisons for the steps they took following the data breach.

« Back to News