LAWYERS have weighed in on Morrison's successful supreme court challenge with one calling it a "a landmark data breach case".

The Bradford-based supermarket was found not 'vicariously liable' for the actions of a disgruntled employee who shared personal data from its payroll systems.

But what do the experts say and why is it historic?

Glenn Hayes, an employment law partner at Irwin Mitchell, said: “The key question for the courts here is was the wrongdoing done ‘in the course of employment’?

“The Court of Appeal had held that the motive of the employee was ‘irrelevant’ and that Morrisons was responsible for the fact that he deliberately uploaded the data of around 100,000 members of staff to a publicly accessible website. The Supreme Court has however said this was wrong and that Morrisons was not liable for its employee’s deliberate acts.

“The test is whether an employee’s wrongdoing is so closely connected with the acts they are authorised to do, such that it can be properly regarded as being done by their employer.

"Employers will welcome this decision and be reassured they won’t usually be responsible for the actions of any member of staff who deliberately inflicts harm on it or their staff. For a while, it had looked as though the scope of vicarious liability was becoming enormously, and dangerously, wide.”

Another firm said this area of law is continuing to change in the face of internet challenges.

James Seadon, data protection expert and IP and Tech partner at Fieldfisher, said: "The Supreme Court's decision will be welcomed by employers in clarifying the scope of their vicarious liability for the acts of employees when it comes to data breaches.

"Nonetheless, although this may be seen to have relaxed the view of the Court of Appeal, it's critical (particularly in the fortified regulatory environment of GDPR and the DPA 2018) that businesses remain vigilant as to these risks. Relying on legal argument alone will not address the menace of data breaches. Employers continue to assess the technical and organisational measures that they have in place to protect personal and other data. These might include locking down USB ports, preventing access to unauthorised webmail and filesharing sites and adding access controls to key information, as well as ensuring that such policing does not tip the scales when it comes to privacy and that appropriate policies are in place to support the chosen approach.

"Similarly, this litigation and the interest in it has demonstrated the power of collective actions in the wake of data breaches. It's already clear that this is a growing area of law and we expect that trend to continue."