We are currently experiencing problems with our phone system which means some calls to us are not getting through. If you can’t get through to us, please email us at info@ortolan.com and we’ll get right back to you.

News

​Morrisons Data Breach - update

Back in December 2018, we reported that the Court of Appeal had upheld a ruling that the supermarket chain Morrisons was vicariously liable for compensation claims arising from the actions of a former employee jailed for leaking payroll data.

On 1 April 2020, the Supreme Court handed down its judgment in Morrison’s appeal, (WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent) [2020] UKSC 12) finding for the supermarket chain, with the court ruling that Morrisons was not vicariously liable for the rogue actions of an employee, Andrew Skelton, who unlawfully published employee payroll data on the internet.

Brief recap

Various Claimants v Wm Morrison Supermarkets PLC  [2017] EWHC3113 (QB) was a group action brought by some 5000 plus Morrisons employees against their employer after a leak of payroll data was made by a disgruntled employee in 2014.

In 2017, the high court ruled that the supermarket chain Morrisons had no primary liability, but was instead vicariously liable for compensation claims arising from the actions of the former employee jailed for leaking payroll data. This ruling of vicarious liability was upheld by the Court of Appeal in 2018.

Brief Facts

The payroll details of nearly 10,000 Morrisons employees were removed from the Morrisons database and placed online by one Andrew Skelton, a senior IT auditor, employed by Morrisons. In subsequent investigations they were determined to have been copied in November 2013 for proper purposes, then copied by Andrew Skelton to a personal USB stick and then uploaded to the internet. He himself tried to alert the media to the breach in an attempt to affect share price.

Skelton was arrested, charged with an offence under the Computer Misuse Act 1990 of fraud and under Section 55 of the Data Protection Act 1998, tried at Bradford Crown Court in July 2015, and convicted. He was sentenced to a term of 8 years imprisonment.

5,518 of the affected employees joined group litigation against Morrisons in the High Court alleging both primary and vicarious liability for: (i) misuse of private information; (ii) breach of confidence; and, (iii) breach of the Data Protection Act 1998.

Supreme Court decision

The Supreme Court judges had to decide whether “there was sufficient connection between the position in which he [Skelton] was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ”.

The Court concluded that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects. It found that “no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta”.

Will this bring reassurance to companies?

This was an extreme case on the facts, so the relief this ruling brings to companies may not be entirely properly placed and the circumstances in which a company is directly or vicariously liable for an employee or ex-employee’s data breaches is certain to be re-visited.

Companies should still ensure that they have processes, training and controls in place to comply with and ensure ongoing compliance with data protection laws, including what is to happen in the event of a data breach. Should a data breach occur, immediate steps should be put in place.

Posted on 11 May, 2020 by Ortolan

Get in Touch

If you would like to know more about Ortolan Legal and how we can help you reduce your ongoing recruitment costs, get in touch!

Email us now

   Or call 020 3743 0600

Unipart Group has used Ortolan Legal’s services to supplement our in-house legal team for a number of years. We keep coming back to them because their unique combination of experienced, high quality lawyers at extremely cost-effective rates sets them apart from other law firms. It also has to be said that their team are personable, highly commercial and very responsive. I would recommend them without reservation.

Richard Collins, Group Legal Director Unipart
See All
Receive news & updates from Ortolan Legal

Meet the Team

  • Nick Benson Nick Benson I qualified as a commercial and corporate solicitor…
  • Liz Delgado Liz Delgado I qualified as a solicitor in 1995 after studying…
  • Jude Mladek Jude Mladek I graduated with a law degree in 1998 and after…