Morrisons wins Supreme Court appeal

The highest court in the country has ruled that Morrisons can’t be held responsible for a data breach by a disgruntled employee who leaked personal details of thousands of staff members online.

This ruling is landmark in terms of whether an employer is vicariously liable for data breaches committed by its employees, and also whether vicarious liability may arise for breaches by an employee of duties imposed by the Data Protection Act 1998.

The case arose after an employee, Andrew Skelton, was tasked with transmitting payroll data for the supermarket’s entire workforce to its external auditors in 2014. At the time Skelton did this but also made and kept a personal copy of all the data. In early 2014, Skelton then uploaded the information to a publicly accessible file sharing website and sent anonymously to three UK newspapers.

At this point Morrisons were notified and took immediate steps to have the data removed from the internet and to protect its employees. This included alerting the police and the subsequent arrest, prosecution and imprisonment of Skelton.

As a result Morrisons has faced a number of proceedings aimed at getting compensation from them, on the basis of its vicarious liability for Skelton’s acts.

This resulted in the High Court ruling, in the first class action over a data leak, that the supermarket chain didn’t have “primary liability” but was vicariously liable. A decision upheld by the Court of Appeal.

However today the Supreme Court ruled unanimously that this was not the case saying over video link:

“The decisions of the courts below were contrary to the established approach to questions of this kind, and were based on a misunderstanding of this court’s decision” during a previous case.

A statement from Morrisons on today’s ruling said: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.

“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail. A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft. We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.”

Click here to sign up to receive our new South West business news...
Close