The Morrisons case: When is an employer liable for data breaches by its employees?
❗Flash Briefing from the UK❗
⚡Kim Walker of Shakespeare Martineau discusses the UK Supreme Court’s important recent judgement clarifying the scope of the principle of “vicarious liability”: when is an employer strictly liable for the wrongdoings of its employees even though the employer is entirely blameless?
➡️ The case is of particular interest to anyone advising on dataprotection, because the employee, in this case, had maliciously and wrongfully uploaded payroll data of 100,000 employees to the internet, potentially exposing Morrisons to huge claims for compensation from the employees involved.
➡️ The High Court and the Court of Appeal in the UK had previously found Morrisons vicariously liable for the rogue employee’s actions.
The discussion includes:
❓How do you decide what an employee’s “field of activities” are?
❓When is the wrongful action “closely connected” to the field of activities?
❓Are the employee’s motives relevant?
❓Why was the previous leading case (Mohamud v Morrisons) different?
❓What are the practical implications in the field of data protection?