Supermarket chain Morrisons will not be held vicariously liable for a malicious data leak caused by a disgruntled employee, the courts have said, in a ruling that legal experts said would be “welcome news” for employers.
The Supreme Court ruled Morrisons was not liable for the actions of Andrew Skelton, who was acting on “a grudge” when he leaked payroll data for more than 100,000 Morrisons workers, adding that vicarious liability should only arise when the act is closely connected to the employee’s job.
The judgment overturned a previous Court of Appeal ruling that, if upheld, would have significantly extended employers’ liability for data breaches, even in cases where an employee’s actions are criminal and they actively attempt to hide their wrongdoing.
- Morrisons data leak case ‘makes employers more liable for staff behaviour’
- HR should be leading the way on cybersecurity
- Are you getting GDPR compliance right?
In yesterday’s Supreme Court ruling, the court’s president, Lord Reed, said Skelton was not “engaged in furthering his employer’s business when he committed the wrongdoing” and was instead “pursuing a personal vendetta” and sought vengeance for disciplinary proceedings made against him by Morrisons some months earlier.
Reed concluded: “The circumstances in which Skelton committed wrongs against the claimants were not such as to result in the imposition of vicarious liability upon his employer. Morrisons cannot therefore be held liable for Skelton’s conduct. It follows that the appeal must be allowed.”
Julia Wilson, employment partner at Baker McKenzie, said employers could “breathe a sigh of relief” at the Supreme Court’s decision, and the previous Court of Appeal ruling “stretched the concept of an employer's vicarious liability for its employees very far”.
Get more HR and employment law news like this delivered straight to your inbox every day – sign up to People Management’s PM Daily newsletter
“If the Court of Appeal decision had been upheld, the level of damages Morrisons might have faced would be huge,” she added.
But Wilson and other legal experts cautioned that the ruling did not completely eradicate the risk of vicarious liability caused by data breaches.
Paul Holcroft, associate director at Croner, said the case demonstrated that this form of vicarious liability should only arise when wrongdoing is closely connected to the job of the employee. “Here, the individual abused his position to conduct criminal acts because of his own personal grudge,” he said, adding that the fact the case went all the way to the Supreme Court showed this was an unclear area, and future rulings would be “fact specific”.
“To this end, it is important companies are prepared to respond quickly to any circumstances when they could face liability for the actions of their staff,” Holcroft said.
And Claire Greaney, senior associate at Charles Russell Speechlys, added that the ruling would be “welcome news” for businesses. “Going forward, in these ‘rogue employee’ cases the focus will be on what the data controller has or hasn’t done to prevent the breach from occurring. Courts will be looking at whether the data security principle of the GDPR has been breached,” she said.
But Greaney added: “The court did not say there could never be vicarious liability for the conduct of employees in the world of data protection. If the door to vicarious liability was left ajar by the Court of Appeal, the Supreme Court has confirmed that it is staying open.
“In the GDPR era of mandatory notification, businesses will need to look carefully at the measures they take to mitigate these risks, including taking out data insurance to protect themselves.”
In 2014, following disciplinary action made against him months earlier, Skelton – who was at the time employed by Morrisons as a senior internal auditor at its headquarters – leaked payroll data by posting it online and sending it to three national newspapers. The breach of employee personal data, which included names, salaries, bank details and addresses, saw Skelton jailed for eight years in 2015 on charges of fraud, securing unauthorised access to computer material and disclosing personal data.
This resulted in 9,263 Morrisons employees and former employees bringing a class action claim against the supermarket seeking compensation for distress and arguing the breach exposed them to possible identity theft and financial loss. The High Court initially ruled Morrisons was "vicariously liable for the torts committed by Mr Skelton against the [workers]”, a ruling that was later upheld by three Court of Appeal judges.
Despite the legal clarity on data breaches the ruling provides, James Seadon, data protection expert and IP and tech partner at Fieldfisher, said it was “critical that businesses remain vigilant”.
“Relying on legal argument alone will not address the menace of data breaches. Employers [should] continue to assess the technical and organisational measures that they have in place to protect personal and other data,” said Seadon.
A statement issued by Morrisons said it was “pleased” with the Supreme Court ruling that it was “not responsible for any direct wrongdoing in respect of this data theft”, and highlighted that its quick action to take the data down “provided protection”.
It added that the organisation had seen “absolutely no evidence of anyone suffering any direct financial loss”.