Morrisons data leak case ‘makes employers more liable for staff behaviour’

Supermarket loses challenge to high court ruling after employee’s criminal data breach

Experts have warned that the concept of vicarious liability for the behaviour of employees may have been significantly extended, after Morrisons lost its challenge to a high-profile high court ruling regarding a data breach which led to thousands of employees’ details being posted online.

The Court of Appeal upheld the 2017 decision against Morrisons, but the supermarket chain said it would appeal the new ruling to the Supreme Court. 

Workers brought a claim against Morrisons after an employee, Andrew Skelton, stole personal data – including names, addresses, salaries and bank details – of almost 100,000 staff. 

In 2014, Skelton, then a senior internal auditor at Morrisons’ headquarters, leaked the payroll data, posting it online and sending it to newspapers. He was jailed for eight years in 2015 after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data. 

More than 5,000 of the affected employees brought a case, seeking compensation for distress and arguing the breach exposed them to possible identity theft and financial loss. The retailer argued it could not be held liable for the criminal misuse of its data.

Three Court of Appeal judges rejected Morrisons’ appeal, upholding the High Court’s earlier ruling that Morrisons was "vicariously liable for the torts committed by Mr Skelton against the [workers]".

The Morrisons case is the first data leak class action in the UK. Experts said the case would be concerning for employers as it potentially places a far greater liability on them for the actions of their employees. 

Andrew Willis, head of legal at HR-inform, said recent case law including Morrisons highlighted that if a close connection can be found between an employee's role and their conduct, that would be enough to satisfy the requirements for vicarious liability. 

“The fact that, in this case, the employee’s role granted him access to the protected data meant the company had a responsibility over his activities with the information regardless of what his motive was,” Willis said. “The case also serves to remind employers of the importance of data protection in light of the GDPR and how strong control processes need to be in place even in highly trusted parts of the business.” 

Susan Doris-Obando, counsel at Dentons, added: ““As a result of the Court of Appeal’s decision, it will be very difficult for employers to avoid vicarious liability for the acts of their employees, even when those acts are criminal in nature, provided such acts have some connection with employment.” 

Doris-Obando said the case reinforced the need for employers to be alert to protecting their IT systems and personnel data from disgruntled employees. 

“The coming into force of GDPR this year has made HR departments focus on employee personal data security in order to avoid the implementation of significant fines,” she said. 

“This case makes it clear that any steps taken to ensure GDPR compliance may be insufficient to protect an employer from claims of employees whose personal data has been compromised as a result of criminal acts of a disgruntled employee.”

Richard Hayllar, partner at law firm TLT, said the judgment suggested data breaches would become the “next big claims theme for businesses”. 

“Data security isn't just about protecting yourself from potential fines and reputational damage,” Hayllar said. “This case has confirmed businesses can face considerable damages for financial and non-financial loss as well – mere distress is sufficient for damages to be paid.”

A spokesperson for Morrisons said the supermarket had “not been blamed by the courts for the way it protected colleagues' data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

"Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”

Morrisons said it planned to appeal the decision to the Supreme Court.