Hogan Lovells comments on Morrisons data breach case

Commenting on the judgment, privacy and cybersecurity partner at Hogan Lovells Nicola Fulford said: "The Supreme Court's decision will be welcomed by companies, as they now know they are unlikely to be liable for damages following the deliberate act of a rogue employee where the disclosure is not within the "field of activities" assigned to that employee. However, the Court did go on to indicate that employers may, in principle, still be vicariously liable for breaches of data protection legislation where their employees are data controllers in their own right. Companies must continue to ensure their systems and processes for securing their data are robust, even more so given the increased risks of breaches we are seeing during the COVID-19 pandemic."

Matthew Felwick, class actions specialist and partner at Hogan Lovells, added: "This decision will only be of limited comfort for companies that experience a data security breach. The court's reluctance to totally exclude vicarious liability gives another potential tool to claimant lawyers, further increasing the already considerable risks of data class actions in the UK that companies face. We are seeing more and more actions brought by large groups of claimants for damages for the distress and anxiety caused by the misuse of personal data, irrespective of any actual financial loss, and this decision will do little to slow that trend."