Supreme Court rules Morrisons was not liable for 2014 data breach

Supermarket can't be held liable for the criminal actions of a former auditor who leaked financial data

The UK’s Supreme Court has ruled that Morrisons was not liable for a staff member who unlawfully disclosed the personal data of thousands of the company’s employees in 2014.

Related Resource

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

After a disgruntled employee leaked the payroll information of 100,000 of the supermarket chain’s workers six years ago, Morrisons was found to be vicariously liable, as opposed to directly liable. 

The Supreme Court has overruled past decisions after Morrisons lodged an appeal, however, with judges finding the supermarket could not be held responsible for the actions of former auditor Andrew Skelton.

After receiving a verbal warning following disciplinary proceedings in 2013, Skelton was tasked with transmitting payroll data for Morrison’s entire workforce to external auditors, as he had done the previous year. 

Skelton completed the task, but also made a personal copy of the data.

He uploaded a file containing the data to a publicly accessible filesharing website in 2014, and sent the file anonymously to three UK newspapers, posing as a concerned member of the public.

Morrisons was then alerted and took steps to have the data removed and contact the police, who arrested Skelton following an investigation. He was imprisoned in 2015 for eight years.

Some of the affected employees brought proceedings against the supermarket, seeking compensation, with arguments centred on its statutory duty under the Data Protection Act 1998, with regards to the misuse of private information and breach of confidence. 

The High Court, at the time, ruled in favour of the company’s employees and rejected Morrison’s argument that "vicarious liability" was inappropriate given the DPA’s content and its foundation in an EU directive.

Morrisons appealed to the High Court, which upheld the initial ruling in 2018, leaving the company facing the prospect of a hefty compensation bill for its employees. 

The supermarket then took the case to the Supreme Court, which unanimously allowed the appeal. Lord Reed ruled in the supermarket chain’s favour, with fellow judges agreeing on the decision. 

“The Court concludes that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects,” the Supreme Court said. 

“The online disclosure of the data was not part of Skelton’s “field of activities”, as it was not an act which he was authorised to do.

“Considering the question afresh, no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.”

The Supreme Court’s ruling, a reversal of past decisions, has implications for all organisations who may fear repercussions should a disgruntled employee violate data protection laws. 

"With this judgment, employers – and the insurance sector (which might have been asked to cover a lot of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees,” said Mishcon de Reya partner Adam Rose.

“They must still comply with the security requirements of GDPR, but – as long as they have done so – they shouldn't find themselves defending an action in which they were also arguably a victim.”

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021
BackupAssist teams with Wasabi to offer cheaper backup for businesses
backup

BackupAssist teams with Wasabi to offer cheaper backup for businesses

6 Jan 2021
Data: A resource much too valuable to leave unprotected
Whitepaper

Data: A resource much too valuable to leave unprotected

2 Dec 2020
Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021