On 22 October 2018, the supermarket chain Morrisons lost its appeal to the High Court ruling that it is liable for a data breach that resulted in thousands of its employees’ personal data being posted online. The Court of Appeal’s (CoA) judgment can be found here.

Over 5,000 Morrisons’ employees brought a class action in the High Court after a company employee, Andrew Skelton, stole personal data, which included payroll information of almost 100,000 employees, including names, addresses, bank account details and salaries (see our previous blog on the High Court decision here).

Morrisons argued that Mr Skelton’s actions were insufficiently closely connected for it to be liable, as he perpetrated the act in his own home, on a personal computer and a number of weeks after he had stolen the personal data. The CoA rejected this, and was instead of the view that Mr Skelton’s actions fell “within the field of activities assigned to him” by Morrisons and that there was an unbroken chain of events linking his role as an employee to the disclosure of the personal data.

The CoA also rejected Morrisons’ argument that it was not vicariously liable on the basis that Mr Skelton’s motive was to harm his employer, and not to benefit himself in some way or inflict harm on a third party. All three of the CoA judges therefore agreed with the High Court that Morrisons was vicariously liable for the data breach.Continue Reading Morrisons loses appeal against class action data breach

In a decision that underscores the importance of carefully considering company computer-use policies and permissions, the United States District Court for the Middle District of Florida held last month that a company could not maintain a Computer Fraud and Abuse Act (“CFAA”) claim against a former employee because the company had given the employee “unfettered

This post was written by Daniel Kadar.

France’s highest court (“Cour de cassation”) ruled 26 June 2012 in Monsieur X v. YBC Helpevia that a company’s internal rules may limit an employer’s access to employee emails.

French case-law has traditionally held that employees have a right to privacy at their workplace and that an