Supreme Court rules Morrisons was not liable for 2014 data breach

Supermarket can't be held liable for the criminal actions of a former auditor who leaked financial data

The UK’s Supreme Court has ruled that Morrisons was not liable for a staff member who unlawfully disclosed the personal data of thousands of the company’s employees in 2014.

Related Resource

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

After a disgruntled employee leaked the payroll information of 100,000 of the supermarket chain’s workers six years ago, Morrisons was found to be vicariously liable, as opposed to directly liable. 

The Supreme Court has overruled past decisions after Morrisons lodged an appeal, however, with judges finding the supermarket could not be held responsible for the actions of former auditor Andrew Skelton.

After receiving a verbal warning following disciplinary proceedings in 2013, Skelton was tasked with transmitting payroll data for Morrison’s entire workforce to external auditors, as he had done the previous year. 

Skelton completed the task, but also made a personal copy of the data.

He uploaded a file containing the data to a publicly accessible filesharing website in 2014, and sent the file anonymously to three UK newspapers, posing as a concerned member of the public.

Morrisons was then alerted and took steps to have the data removed and contact the police, who arrested Skelton following an investigation. He was imprisoned in 2015 for eight years.

Some of the affected employees brought proceedings against the supermarket, seeking compensation, with arguments centred on its statutory duty under the Data Protection Act 1998, with regards to the misuse of private information and breach of confidence. 

The High Court, at the time, ruled in favour of the company’s employees and rejected Morrison’s argument that "vicarious liability" was inappropriate given the DPA’s content and its foundation in an EU directive.

Morrisons appealed to the High Court, which upheld the initial ruling in 2018, leaving the company facing the prospect of a hefty compensation bill for its employees. 

The supermarket then took the case to the Supreme Court, which unanimously allowed the appeal. Lord Reed ruled in the supermarket chain’s favour, with fellow judges agreeing on the decision. 

“The Court concludes that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects,” the Supreme Court said. 

“The online disclosure of the data was not part of Skelton’s “field of activities”, as it was not an act which he was authorised to do.

“Considering the question afresh, no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.”

The Supreme Court’s ruling, a reversal of past decisions, has implications for all organisations who may fear repercussions should a disgruntled employee violate data protection laws. 

"With this judgment, employers – and the insurance sector (which might have been asked to cover a lot of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees,” said Mishcon de Reya partner Adam Rose.

“They must still comply with the security requirements of GDPR, but – as long as they have done so – they shouldn't find themselves defending an action in which they were also arguably a victim.”

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Cellebrite launches industry-first remote data collection solution
data management

Cellebrite launches industry-first remote data collection solution

29 Sep 2021
Akamai to acquire cyber security firm Guardicore
Acquisition

Akamai to acquire cyber security firm Guardicore

29 Sep 2021
Qumulo packages disaster recovery into file management tool
data centres

Qumulo packages disaster recovery into file management tool

22 Sep 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021