In 2014, Morrisons employee Andrew Skelton leaked his colleagues’ payroll data in an act of revenge against his employer after he was issued a verbal warning for using the company’s post room to run an online business selling ‘legal highs’. Skelton was subsequently jailed for eight years for fraud, securing unauthorised absence to computer material and unlawfully disclosing personal data.
A group of more than 9,000 of the affected staff launched the UK’s first data breach-related group action against Morrisons for the alleged upset and distress caused to them by Skelton’s actions. The claimants alleged that Morrisons was also liable for the data breach because it was carried out by Skelton in the course of his employment. In 2017, the High Court ruled that Morrisons was indeed liable for the data breach and ordered it to pay compensation to the employees.
The decision was met with understandable concern by employers up and down the country, and not surprisingly Morrisons appealed. The appeal was dismissed by the Court of Appeal in October 2018, leading the supermarket to launch a further appeal in the Supreme Court.
Throughout this case, Morrisons’ argument has always been that Skelton’s actions were so far removed from what he was paid to do that they should not be liable. It said this was a vindictive act that could not in any way have been foreseen by the supermarket and was not connected to the tasks that he was employed to do. Morrisons was clear that it had done everything it reasonably could have done to protect the data and therefore should not be liable for Skelton’s unlawful and unpredictable behaviour.
The employees, on the other hand, argued that they had entrusted their data to their employer and that the leaking of the information caused them considerable distress for which they would have no meaningful recourse if Morrisons was not held liable.
In the end, the Supreme Court judges were unanimous in their decision that Morrisons was not liable for Skelton’s actions. They noted that this case was one of a kind and they had never been asked to rule on a case that involved someone trying to deliberately inflict harm on their employer.
In his judgment, the president of the Supreme Court, Lord Reed, said: “Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier. In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”
The decision in WM Morrisons Supermarket plc v Various Claimants seems clearly right, but employers should not become complacent. Businesses can still be liable for the actions of employees that result in a data breach in circumstances where there is a ‘sufficient connection’ between their nefarious activities and what they are paid to do.
To avoid liability, employers need to ensure they are taking all necessary steps to ensure compliance with the GDPR, including having the appropriate safeguards in place (ie training, policies and monitoring) to protect against data breaches by rogue employees. The facts in the Morrisons case were quite extreme and there are many other situations where not having the proper safeguards in place will come back to haunt employers.
James Tait is a partner at Browne Jacobson