Imagine the scenario … the personal data of nearly 100,000 employees is misused in a catastrophic data breach. But, this was not the action of an illusive hacker looking for financial reward. This person was a person on your payroll – a disgruntled employee whose only aim is to damage your reputation.

Now imagine the subsequent sting in the tail – being held accountable for that employees behaviour.

This is the “Morrisions Effect” following the recent confirmation by the Court of Appeal that Morrisons were vicariously liable for their employee’s actions. As a result, Morrisons must suffer a vast compensation bill (although reports indicate that Morrisons will be taking this to the decision to the Supreme Court).

The Morrisons Effect has caused controversy within the business community. Primarily as Morrisons seemingly did everything right – there was no reason to think that the employee was untrustworthy and they had adequate and appropriate data protection controls.

The Court based its argument on widely accepted legal principles of vicarious liability and emphasised that given the significant criminal penalties imposed on employees, in this case 8 years in prison for the employee who breached data protection law, these cases should hopefully be rare.

So what makes an employer vicariously liable?

Firstly, it will be a question of what “field of activities” have been entrusted by the employer to the employee. In this case, dealing with confidential payroll information formed part of the employee’s job role.

Secondly, there must be a sufficient connection between the position held by the employee and his wrongful conduct to make it right for the employer to be held liable. In this case Morrisons attempted to argue that the harm was done by the employee at his home, using his own computer, on a non-working day. He had however uploaded the personal data from the Morrisons system to a USB some weeks earlier.  The argument was unsuccessful and an “unbroken chain” of events was found to have taken place.

How to protect yourself 

Where there is a risk of data misuse or breach, the court considers it prudent for business owners to obtain “cyber insurance” against:

  1. Corporate system failures;
  2. Negligence by individuals acting in the course of their employment; and
  3. Losses caused by dishonest or malicious employees (this may be additional to standard cover – be mindful when purchasing cover).