Skip to main content
Home / News and Insights / Blogs / Employment Law / 135: Morrisons Supermarkets held vicariously liable for employee’s deliberate data breach
Bircham Dyson Bell (BDB) LLP and Pitmans LLP merged on 1 December 2018 to become BDB Pitmans LLP. More details can be found here
10 December 2018

135: Morrisons Supermarkets held vicariously liable for employee’s deliberate data breach

In a significant judgment, the Court of Appeal has upheld the decision of the High Court that Morrisons Supermarkets was vicariously liable for the deliberate leak of the personal data of almost 100,000 employees by a disgruntled employee (W M Morrisons Supermarkets Plc v Various Claimants). This is the first class action concerning a data breach in the UK.

Mr Skelton was employed by Morrisons as a senior IT auditor. He developed a grudge against Morrisons after being subject to disciplinary proceedings for using the company’s postal facilities for private purposes. As part of the annual audit process, Mr Skelton was entrusted with passing on the payroll data of around 100,000 employees to the external auditors. Using another employee’s details in an attempt to conceal his actions, he copied and leaked this data online and alerted several newspapers to the leak. He was subsequently convicted of various criminal offences and jailed for fraud.

Around 5,500 of the affected employees claimed damages from Morrisons for misuse of private information, breach of confidence and breach of duty under the Data Protection Act 1998. The High Court held that whilst Morrisons was not directly liable, it was vicariously liable for Mr Skelton’s actions because there was a sufficient connection between his illegal actions and the role for which he was employed.

The Court of Appeal has now unanimously rejected Morrisons’ appeal. It found that Mr Skelton was entrusted with the data for the purposes of his role as auditor. Covertly downloading this data onto his personal USB stick and disclosing it on the internet was part of a continuous sequence of events which had been planned by him. The Court of Appeal agreed that there was therefore sufficient connection between his position and the data breach to justify imposing liability on Morrisons for his actions.

This case is unusual because Mr Skelton’s motive was to harm his employer rather than another employee or third party, but the Court of Appeal rejected Morrisons’ argument that imposing vicarious liability would further his criminal aims. Subject to any appeal to the Supreme Court, the decision means that employers may be liable for the misuse of personal data by a rogue employee, even if they have otherwise complied with data protection legislation. Although, in theory, employers can insure against such risks, it remains to be seen how insurers will react. The amount of compensation awarded to the affected individuals under the Data Protection Act 1998 may be relatively small, but Morrisons’ liability will be substantial given the number of employees involved. Compensation could be greater under the new regime introduced by the General Data Protection Regulation in May 2018.

Related Articles

London and Cambridge Offices

London Westminster
50 Broadway, London
SW1H 0BL

London City
107 Cheapside, London
EC2V 6DN

Cambridge
51 Hills Road, Cambridge
CB2 1NT

Reading and Southampton Offices

Reading, Castle Street
47 Castle Street Berkshire,
Reading RG1 7SR

Reading, The Anchorage
34 Bridge Street Berkshire,
Reading RG1 2LU

Southampton, The Avenue
46 The Avenue Southampton
Southampton SO17 1AX

Follow us

  • Pay my invoice
  • Lexcel
  • CYBER ESSENTIALS PLUS

© BDB Pitmans 2019. 50 Broadway, London, SW1H 0BL - T +44 (0)345 222 9222