Court of Appeal finds that employee data breach is Morrisons’ business

Leading supermarket chain Morrisons has lost its challenge in the Court of Appeal against the High Court ruling that it was vicariously liable as employer for the unlawful data breach of its employee.

The data breach took place in 2014 when Andrew Skelton, a senior internal auditor, in a deliberate attack, leaked to newspapers and online the payroll data of nearly 100,000 employees, including names, addresses, bank account details and salaries. Skelton was jailed for 8 years after being found guilty for offences including fraud and disclosing personal data.

The employer will be found to be vicariously liable for an employee’s unlawful actions where the employee is acting in the course of their employment. The High Court had found that Skelton was carrying out his actions in the course of his employment and Morrisons, who had trusted him with the data, was vicariously liable as a result.

Morrisons will be appealing the decision to the Supreme Court, however if the appeal fails, the claimants could be due compensation from Morrisons for the upset and distress caused by the leak. The case, although one of the first data leak class actions in the UK, will not be the last; particularly with the introduction of the General Data Protection Regulation GDPR.

Businesses might find some reassurance that liability was limited to instances where the data breach was sufficiently connected to the individual’s employment, following on from precedent. However businesses should be cautious and continue to regularly monitor their process to help reduce the risk of a breach.