Click to edit...
Retail | Cybersecurity
Morrisons not liable for rogue employee data leak
The Supreme Court has found that supermarket chain Morrisons cannot be held liable for the actions of a rogue employee who leaked the personal data of 100,000 former colleagues. Robert Scammel reports on the matter.
A panel of five justices has unanimously ruled that Morrisons was not “vicariously liable” for the actions of aggrieved ex-Morrisons auditor Andrew Skelton, who in 2013 downloaded the payroll data of 98,998 Morrisons employees and uploaded the data onto a file-sharing website in January 2014.
Skelton also sent the file anonymously to three UK newspapers, which did not publish the information. He was subsequently sentenced to eight years in prison for securing unauthorised access to computer material and disclosing personal data.
Some 9,000 of the affected employees sought compensation from Morrisons for “upset and distress”. They brought the case against Morrisons for breach of statutory duty under the Data Protection Act, misuse of private information and breach of confidence.
Final verdict after appeals
In 2017 the High Court found Morrisons liable for the breach, which the British supermarket then challenged. However, in 2018 the Court of Appeal upheld the original decision, leaving the Supreme Court as the Morrisons’ final legal avenue.
The Supreme Court has now concluded that the previous judge and Court of Appeal “misunderstood” the principles governing vicarious liability “in a number of respects”.
Disclosing the personal information was not part of Skelton’s “field of activities” that he was authorised to do, the Supreme Court found.
Employers can only be held liable for the actions of employees if these actions are “closely connected” to their everyday duties.
Pursuing a personal vendetta.
Speaking via livestream, Supreme Court president Lord Robert Reed said: “In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question.”
Instead, the court determined that Skelton was “pursuing a personal vendetta” in response to disciplinary proceedings from Morrisons in the months prior to the data leak.
The court also found it “highly material whether Skelton was acting on his employer’s business or for purely personal reasons”.
Morrisons: “No evidence of anyone suffering direct financial loss”
A statement issued by Morrisons after the ruling said: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.
“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail.
“A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft.
“We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged.
“In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.”
Implications of Morrisons data leak judgement
Data protection experts had been paying close attention to the Morrisons data leak case, fearing it would set a precedent that held employers liable for the actions of a rogue employee.
“This judgment will be a relief for UK businesses but is largely restricted to its facts and there are still a large number of other class actions for data breaches in progress. The threat of significant liability for data breaches remains,” said Peter Church, TMT Counsel at law firm Linklaters.
“The more interesting issue was not whether Morrisons was liable, but the compensation each employee would have received if they had been liable.
“Many employees would have struggled to show they had suffered any actual loss or harm suggesting their compensation should be minimal. This is relevant to the other outstanding class actions but following the dismissal of this claim, we may have to wait longer for the answer.”
Organisations should still appreciate that having appropriate security measures in place includes guarding against insider threat.
James Seadon, data protection expert and IP and Tech partner at law firm Fieldfisher said the Supreme Court’s judgement would be welcomed by employers.
“Nonetheless, although this may be seen to have relaxed the view of the Court of Appeal, it’s critical – particularly in the fortified regulatory environment of GDPR and the DPA 2018 – that businesses remain vigilant as to these risks,” he said.
“Relying on legal argument alone will not address the menace of data breaches. Employers continue to assess the technical and organisational measures that they have in place to protect personal and other data.”
Morrisons spent more than £2.26m in the immediate aftermath of the data leak, with a “significant element” of it spent on identity protection measures for its employees.
“Organisations should still appreciate that having appropriate security measures in place includes guarding against insider threat,” added Robert Wassall, director of legal services at Norm Cyber.