Morrisons will not have to pay a single penny to the 100,000 staff whose data was stolen and leaked by a disgruntled IT auditor, after the Supreme Court overturned previous rulings, and held that the retailer was not vicariously liable for his actions.
The issue dates back to 2014 when staffer Andrew Skelton, a man who held a grudge after being wrongly accused of abusing the firm’s post-room policy, leaked data on the entire payroll, putting it online and sending it to newspapers.
He was eventually charged, then jailed for eight years – triggering the legal case that has been bouncing around the British justice system ever since.
At the first High Court hearing in October 2017, Jonathan Barnes, counsel for the victims, told Mr Justice Langstaff that Morrisons had already been awarded £170,000 in compensation against Skelton but that its own staff had not received a penny for the distress his actions had caused.
In December 2017, the High Court found in the claimants’ favour, ruling that although Morrisons was not “directly liable” it was found to be “vicariously liable” for the actions of its employee.
However, Morrisons then appealed but this was booted out in October 2018. Then in April last year Morrisons won the right to have the case heard in the Supreme Court.
A panel of five justices unanimously ruled today that Morrisons was not “vicariously liable” for Skelton’s actions. Announcing the decision via livestream, the court’s president Lord Reed said Skelton leaked the data because of a “grudge” after he was given a verbal warning following disciplinary proceedings.
The judge said employers could only be held liable for the actions of employees if they were “closely connected” with their duties at work.
Lord Reed said: “In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier. In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”
Nick McAleenan, from JMW Solicitors who represented the claimants, said: “My clients are of course hugely disappointed by the decision, which contradicts two earlier unanimous findings in their favour.
“The claimants, of course, respect the decision, but the troubling part of this conclusion is that the wrongdoer in this case also wanted to damage his own colleagues, not just Morrisons, and he did so in dramatic fashion.
“For the first time, the Supreme Court has established the legal principle that employers can now be legally responsible for data breaches caused by their employees – under the law of vicarious liability.
“This is very significant because most data breaches are caused by human error. This ruling enhances the protection of data for millions of people in this country who are obliged to hand over their own information to businesses every single day. It will raise standards.
“Morrisons’ staff have lost their claim, but through their legal action they have enhanced the data rights of everyone in the UK.”
Commenting on the case, Mishcon de Reya partner Adam Rose said: “With this judgment, employers – and the insurance sector (which might have been asked to cover a lot of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees. They must still comply with the security requirements of GDPR, but – as long as they have done so – they shouldn’t find themselves defending an action in which they were also arguably a victim.”
Related stories
Morrisons in last ditch bid to stop data breach pay-out
Morrisons loses appeal against data breach pay-out
Lawyer slams Morrisons on eve of data ruling appeal
Thousands of Morrisons staff to get data leak pay-off
Morrisons staff start High Court fight over 2014 breach
Morrisons staff take legal action over 2014 breach
Morrisons chief banged up for 8 years
Grudge sparked Morrisons breach
Staffer held over Morrisons breach