Supermarket chain Morrisons has won its appeal in the Supreme Court over a data breach that occurred in 2013. It brings to an end a case which sought to make Morrisons vicariously liable for the behaviour of a disgruntled former employee, Andrew Skelton.
Morrisons had been found guilty of that claim by a lower court, a decision that was upheld on appeal. In November 2019, Morrisons went to the Supreme Court. That court has now ruled Morrisons was not responsible for the actions of its employee, Andrew Skelton.
According to Charlotte Smith, an Associate at London-based public law specialists, Sharpe Pritchard: “The judgment of the Supreme Court will be welcomed by controllers. The High Court ruled on this case in 2017. It held that Morrisons was vicariously liable for the actions of its employee who leaked the personal data of Morrisons employees and was acting in a malicious way. Since then, this has raised concern for organisations who wondered how they would be able to mitigate against the risk of a rogue employee leaking personal data.
“The case was then appealed to the Court of Appeal who dismissed the appeal. The Supreme Court, however, allowed Morrisons’ appeal and held that vicarious liability was being interpreted too widely. The former employee was carrying out criminal activity and was not acting in the course of his employment. The potential damages that could have been awarded to those whose data was leaked was never determined but if Morrisons had been unsuccessful then it could have had to pay damages to around 100,000 employees.
“As we see more potential claimants seek to bring group litigation actions for data breaches, many organisations will be happy to see the decision of the Supreme Court today.”
What is this about?
In 2013, Andrew Skelton, a senior auditor at Morrisons’ internal audit team, stole a copy of payroll data from the company. Skelton was able to access the data as part of his job, and the data was initially intended for KPMG. They had requested the data to test its accuracy. In addition to downloading the data for KPMG, Skelton made a second copy and stored that on a USB stick.
In 2014, Skelton uploaded the data to the Internet and sent copies to three newspapers claiming he had found it on the Internet. After a brief investigation, the police arrested Skelton and charged him with the data breach. Skelton was sent to jail in 2015 for data theft. Morrisons then decided to sue Skelton to recover some of the £2 million it had spent in protecting employees and investigating the breach.
After suing Skelton, Morrisons found itself the subject of a class-action lawsuit. It alleged that Morrisons was vicariously responsible for the breach. It had, after all, given Skelton access to the data. Morrisons maintained that Skelton had lawful access to the data and it could not have foreseen his actions. The courts disagreed. Morrisons was ordered to pay compensation to its staff, although a figure was not made public.
Enterprise Times: What does this mean?
Does this judgement mean that organisations are off the hook if their employees do something that causes a data breach? No. It makes it clear that there is a distinction between an individual doing something related to their employment that caused the breach, and when they are committing a separate, malicious act.
The judgement also raises the question of what related to their employment means. We are likely to see a number of interpretations of this in the next few months. It means that companies will have to look at their processes and make sure they are fit for purpose.