Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

At the Supreme Court, Morrisons pops data breach liability win into its trolley – but it's not a get-out-of-compo free card for businesses

Vicarious liability now applies to intentional leaks, top court says

Morrisons supermarket is not liable for the actions of a disgruntled employee who deliberately leaked nearly 100,000 employees' payroll data online, Britain's Supreme Court has ruled.

Grudge-bearing auditor

The case was brought over the actions of Andrew Skelton, a Morrisons auditor, who in 2014 was supposed to be transferring payroll data via encrypted USB stick to KPMG. Holding a grudge after being disciplined for abusing company postage to run his side hustle (a protein powder mail-order biz), Skelton made a separate copy of 99,998 employees' payroll information, dumped it online using Tor to cover his tracks and posted CDs of it to three newspapers.

He timed the breach to coincide with Morrisons' annual results in the hope of damaging its public image. The Bradford Telegraph and Argus refused to publish any news based on the CD's contents, instead informing Morrisons of the breach. For his actions, Skelton was handed an eight-year prison sentence in 2015.

Supreme Court judge Lord Reed ruled: "First, the disclosure of the data on the internet did not form part of Skelton's functions or field of activities," also decreeing that previous findings by the High Court and Court of Appeal were mistaken in law. Whether Skelton had been "acting on his employer's business or for purely personal reasons" was a "highly material" question, remarked the judge, contrasting this with how the Court of Appeal had framed it. Lord Reed's view was:

In a case concerned with vicarious liability arising out of a relationship of employment, the court generally has to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

He duly found that Skelton going off on a tangent of his own to leak the data was not closely connected enough to his job for vicarious liability to be established.

Morrisons off the hook

"Skelton's wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons' liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment," said Lord Reed in a judgment handed down this morning.

While it sets the law on vicarious liability – the legal principle that employers can be held responsible for the actions of employees who commit crimes while on duty – the full judgment will be cold comfort for the 9,000+ Morrisons employees who had their personal details published online and joined the group litigation against the supermarket.

Thanks to this ruling, it is now a clear legal principle that companies can be held vicariously liable for employees' actions that result in a data breach. Nick McAleenan, lead solicitor for the employees, commented: "For the first time, the Supreme Court has established the legal principle that employers can now be legally responsible for data breaches caused by their employees – under the law of vicarious liability."

Lord Reed ruled:

The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity.

Unfortunately for the Morrisons workers, the rogue employee in this case had gone too far rogue for the supermarket to be held liable and to pay compensation – a ruling with which Lords Reed, Kerr, Hodge and Lloyd-Jones, along with court president Lady Hale, unanimously agreed.

We can't get a payout for having our data exposed

Lawyers rushed out to comment on the judgment. McAleenan grieved over the main thrust of today's judgment, saying: "My clients entrusted their personal information to their employer, Morrisons, in good faith. When their information was subsequently uploaded to the internet by a fellow employee, it caused an enormous amount of upset and distress to tens of thousands of people. The Supreme Court's decision now places my clients, the backbone of Morrisons' business, in the position of having no legal avenue remaining to challenge what happened to them."

In contrast, Matthew Gill of law firm Wiggin LLP opined: "If the court's decision had gone the other way, Morrisons would have been liable to 100,000 of its employees for a breach of their data despite Morrisons having done everything it reasonably could have to protect that data. Other employers would have faced an untenable risk that if they were hit by a similar theft of data by an employee, they would be left wholly exposed."

The judgment seems likely to please the Information Commissioner's Office, which we revealed had quietly urged the Court of Appeal to dismiss the case last year without even bothering to look at the employees' legal arguments against Morrisons. ®

Bootnote

Our previous coverage of the High Court's judgment is here.

The Court of Appeal case coverage is to be found here and here.

Reports of legal arguments before the Supreme Court are to be found here and here.

 

Similar topics

TIP US OFF

Send us news


Other stories you might like