Supreme Court rules in favour of Morrisons over data breach
Updated : 13:28
The Supreme Court has ruled that Wm Morrison cannot be held responsible for a data breach that led to the payroll data of thousands of employees being leaked.
The case was bought by a number of claimants, including some affected employees. They argued that the supermarket chain was liable for the actions of Andrew Skelton, the former employee who leaked the data.
But the UK’s highest court, delivering its verdict via live-stream because of Covid-19 lockdown measures, ruled on Wednesday that no vicarious liability arose in the case.
The judgement noted: “The fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability.”
Skelton was employed as a member of the internal audit team at Morrisons, and was tasked with transmitting payroll data for the entire workforce to external auditors. In November 2013, he carried out the task, but also made and kept a personal copy of the data which he uploaded to a filesharing website and sent to three newspapers the following year.
The newspapers did not publish the information, but instead alerted Morrisons to the breach.
A spokesperson for Morrisons said the company was “pleased” with the ruling. “The theft of data happened because a single employee with legitimate authority to hold the data also held a secret and wholly unreasonable grudge against Morrisons and wanted the hurt the company and our colleagues.”
Skelton, who developed the grudge after receiving a verbal warning for a minor misconduct, has already spent time in jail for the breach.
The spokesperson continued: “A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft. We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts, and reassured them that they would not, in any circumstances, be financially disadvantaged.”
The case is believed to be the first data protection group action. Morrisons lost the case at first instance and at the Court of Appeal, but the Supreme Court said both courts had misunderstood the principles governing vicarious liability “in a number of respects”.
Morrisons’ lead counsel was David Pannick QC, who acted on behalf of Gina Miller in her prorogation case against the government last year.