Supreme Court rules Morrisons was not liable for 2014 data breach

Supermarket can't be held liable for the criminal actions of a former auditor who leaked financial data

The UK’s Supreme Court has ruled that Morrisons was not liable for a staff member who unlawfully disclosed the personal data of thousands of the company’s employees in 2014.

Related Resource

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

After a disgruntled employee leaked the payroll information of 100,000 of the supermarket chain’s workers six years ago, Morrisons was found to be vicariously liable, as opposed to directly liable. 

The Supreme Court has overruled past decisions after Morrisons lodged an appeal, however, with judges finding the supermarket could not be held responsible for the actions of former auditor Andrew Skelton.

After receiving a verbal warning following disciplinary proceedings in 2013, Skelton was tasked with transmitting payroll data for Morrison’s entire workforce to external auditors, as he had done the previous year. 

Skelton completed the task, but also made a personal copy of the data.

He uploaded a file containing the data to a publicly accessible filesharing website in 2014, and sent the file anonymously to three UK newspapers, posing as a concerned member of the public.

Morrisons was then alerted and took steps to have the data removed and contact the police, who arrested Skelton following an investigation. He was imprisoned in 2015 for eight years.

Some of the affected employees brought proceedings against the supermarket, seeking compensation, with arguments centred on its statutory duty under the Data Protection Act 1998, with regards to the misuse of private information and breach of confidence. 

The High Court, at the time, ruled in favour of the company’s employees and rejected Morrison’s argument that "vicarious liability" was inappropriate given the DPA’s content and its foundation in an EU directive.

Morrisons appealed to the High Court, which upheld the initial ruling in 2018, leaving the company facing the prospect of a hefty compensation bill for its employees. 

The supermarket then took the case to the Supreme Court, which unanimously allowed the appeal. Lord Reed ruled in the supermarket chain’s favour, with fellow judges agreeing on the decision. 

“The Court concludes that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects,” the Supreme Court said. 

“The online disclosure of the data was not part of Skelton’s “field of activities”, as it was not an act which he was authorised to do.

“Considering the question afresh, no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.”

The Supreme Court’s ruling, a reversal of past decisions, has implications for all organisations who may fear repercussions should a disgruntled employee violate data protection laws. 

"With this judgment, employers – and the insurance sector (which might have been asked to cover a lot of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees,” said Mishcon de Reya partner Adam Rose.

“They must still comply with the security requirements of GDPR, but – as long as they have done so – they shouldn't find themselves defending an action in which they were also arguably a victim.”

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020