Supreme Court rules Morrisons was not liable for 2014 data breach

Supermarket can't be held liable for the criminal actions of a former auditor who leaked financial data

The UK’s Supreme Court has ruled that Morrisons was not liable for a staff member who unlawfully disclosed the personal data of thousands of the company’s employees in 2014.

Related Resource

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

After a disgruntled employee leaked the payroll information of 100,000 of the supermarket chain’s workers six years ago, Morrisons was found to be vicariously liable, as opposed to directly liable. 

Advertisement - Article continues below

The Supreme Court has overruled past decisions after Morrisons lodged an appeal, however, with judges finding the supermarket could not be held responsible for the actions of former auditor Andrew Skelton.

After receiving a verbal warning following disciplinary proceedings in 2013, Skelton was tasked with transmitting payroll data for Morrison’s entire workforce to external auditors, as he had done the previous year. 

Skelton completed the task, but also made a personal copy of the data.

He uploaded a file containing the data to a publicly accessible filesharing website in 2014, and sent the file anonymously to three UK newspapers, posing as a concerned member of the public.

Morrisons was then alerted and took steps to have the data removed and contact the police, who arrested Skelton following an investigation. He was imprisoned in 2015 for eight years.

Some of the affected employees brought proceedings against the supermarket, seeking compensation, with arguments centred on its statutory duty under the Data Protection Act 1998, with regards to the misuse of private information and breach of confidence. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The High Court, at the time, ruled in favour of the company’s employees and rejected Morrison’s argument that "vicarious liability" was inappropriate given the DPA’s content and its foundation in an EU directive.

Morrisons appealed to the High Court, which upheld the initial ruling in 2018, leaving the company facing the prospect of a hefty compensation bill for its employees. 

The supermarket then took the case to the Supreme Court, which unanimously allowed the appeal. Lord Reed ruled in the supermarket chain’s favour, with fellow judges agreeing on the decision. 

“The Court concludes that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects,” the Supreme Court said. 

“The online disclosure of the data was not part of Skelton’s “field of activities”, as it was not an act which he was authorised to do.

“Considering the question afresh, no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.”

Advertisement - Article continues below

The Supreme Court’s ruling, a reversal of past decisions, has implications for all organisations who may fear repercussions should a disgruntled employee violate data protection laws. 

"With this judgment, employers – and the insurance sector (which might have been asked to cover a lot of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees,” said Mishcon de Reya partner Adam Rose.

“They must still comply with the security requirements of GDPR, but – as long as they have done so – they shouldn't find themselves defending an action in which they were also arguably a victim.”

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
UK government may trace COVID-19 patients using mobile phone data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020