In a landmark case of Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the UK Supreme Court has recently held that an employer is not vicariously liable for a deliberate data breach committed by a former rogue employee.

The decision indicates that an employer is unlikely to be liable for a malicious data breach committed by an employee, where the wrongful conduct is not closely connected with the employee’s tasks at work.

In reaching its decision, the Court considered the extent of an employer’s liability for a data breach committed by an employee. Mr Skelton, was an internal auditor at Morrisons, and he maliciously disclosed his co-workers’ personal data, including payroll data, on the internet. Arising from the data breach, over 5,5000 employees sued Morrisons for compensation for loss caused by the data breach, including non-pecuniary loss such as distress.

The first instance trial court held that Morrisons bore no primary responsibility, but was vicariously liable for the rogue employee’s actions, even though the data breach was targeted at harming Morrisons and that that Mr Skelton was acting in the course of his employment.

The matter was appealed and eventually ended up coming before the UK Supreme Court. It unanimously allowed the appeal, and held that Morrisons was not vicariously liable for the data breach.

The Supreme Court held that the test applicable to vicarious liability is: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

The Court held that Mr Skelton was authorised to transmit payroll data to the auditors only. The wrongful online disclosure of co-workers’ personal data, was not so “closely connected” with that task that it could fairly and properly be regarded as being done while acting in the ordinary course of his employment. In conclusion, the Court held that an employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.

This decision of the UK Supreme Court, while only of persuasive authority in the Irish jurisdiction does provides some guidance on how the Irish courts might approach the issue of employers’ vicarious liability for malicious data breaches committed by employees.