Morrisons Data Breach - update
Back in December 2018, we reported that the Court of Appeal had upheld a ruling that the supermarket chain Morrisons was vicariously liable for compensation claims arising from the actions of a former employee jailed for leaking payroll data.
On 1 April 2020, the Supreme Court handed down its judgment in Morrison’s appeal, (WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent)  UKSC 12) finding for the supermarket chain, with the court ruling that Morrisons was not vicariously liable for the rogue actions of an employee, Andrew Skelton, who unlawfully published employee payroll data on the internet.
Various Claimants v Wm Morrison Supermarkets PLC  EWHC3113 (QB) was a group action brought by some 5000 plus Morrisons employees against their employer after a leak of payroll data was made by a disgruntled employee in 2014.
In 2017, the high court ruled that the supermarket chain Morrisons had no primary liability, but was instead vicariously liable for compensation claims arising from the actions of the former employee jailed for leaking payroll data. This ruling of vicarious liability was upheld by the Court of Appeal in 2018.
The payroll details of nearly 10,000 Morrisons employees were removed from the Morrisons database and placed online by one Andrew Skelton, a senior IT auditor, employed by Morrisons. In subsequent investigations they were determined to have been copied in November 2013 for proper purposes, then copied by Andrew Skelton to a personal USB stick and then uploaded to the internet. He himself tried to alert the media to the breach in an attempt to affect share price.
Skelton was arrested, charged with an offence under the Computer Misuse Act 1990 of fraud and under Section 55 of the Data Protection Act 1998, tried at Bradford Crown Court in July 2015, and convicted. He was sentenced to a term of 8 years imprisonment.
5,518 of the affected employees joined group litigation against Morrisons in the High Court alleging both primary and vicarious liability for: (i) misuse of private information; (ii) breach of confidence; and, (iii) breach of the Data Protection Act 1998.
Supreme Court decision
The Supreme Court judges had to decide whether “there was sufficient connection between the position in which he [Skelton] was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ”.
The Court concluded that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects. It found that “no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta”.
Will this bring reassurance to companies?
This was an extreme case on the facts, so the relief this ruling brings to companies may not be entirely properly placed and the circumstances in which a company is directly or vicariously liable for an employee or ex-employee’s data breaches is certain to be re-visited.
Companies should still ensure that they have processes, training and controls in place to comply with and ensure ongoing compliance with data protection laws, including what is to happen in the event of a data breach. Should a data breach occur, immediate steps should be put in place.
Posted on 11 May, 2020 by Ortolan