In Europe, the UK is ahead of the curve when it comes to data breach litigation. The recent UK Supreme Court judgment in Morrisons clarified that the doctrine of vicarious liability does not mean that employers are liable for data breaches resulting from the unauthorised acts of their employees that are outside the course of their employment and are not closely connected to authorised employment activities.  This sensible judgment is good news, but the overall trend towards mass compensation claims in the aftermath of serious breaches continues alongside the trend of regulatory investigation and enforcement action. Claims can be brought for direct liability for failures to comply with the GDPR and the UK Data Protection Act 2018 and vicarious liability for acts or omissions of employees in the ordinary course of their employment (such as errors and omissions). There is no way to eradicate the insider threat, but employers can take steps to mitigate the risk of breaches occurring (and possibly the quantum of any regulatory fines and damages awarded by courts). See the Cybersecurity Law Report piece below for the views of experts from leading firms and also the Dentons deep dive on the judgment at