Morrisons wins legal case over data breach liability
The UK’s highest court has ruled that Morrisons is not legally liable for the actions of a disgruntled former employee who leaked the data of more than 100,000 workers.
Supreme Court judge Lord Reed ruled this morning that the supermarket was not vicariously liable for the conduct of Andrew Skelton, who was jailed in 2015 for the data breach.
More than 9,200 Morrisons employees brought the claim against the supermarket after personal information – including salaries and bank details – was posted online by Skelton.
The case was heard in the Supreme Court after Morrisons lost a battle in the Court of Appeal in October 2018.
The court said then that Morrisons was “vicariously” liable for the misuse of data under their control, in a ruling on the UK’s first data breach class action, which would have had huge financial and technical repercussions for firms if it had been upheld by the Supreme Court.
“Considering the question afresh, no vicarious liability arises in the present case,” the Supreme Court judgement on the Morrisons case said.
“Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.
“On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability.
“An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.”
A Morrisons spokesperson said: “We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail.”