Skip to main content

UK Court of Appeal holds Morrisons Vicariously Liable for Malicious Data Breach

Julie Austin



In a recent judgment handed down by the UK Court of Appeal, Supermarket giant WM Morrisons was found to be vicariously liable for the actions of a disgruntled worker who leaked sensitive payroll data to the media. Background In July 2013, Mr Andrew Skelton was employed by Morrisons as an IT Internal Auditor. Following a disciplinary hearing in respect of an incident where Mr Skelton allegedly made use of the Morrisons’ postal facilities for his private use, Mr Skelton received a formal verbal warning. It is believed that Mr Skelton felt aggrieved by the disciplinary sanction and held a grudge against his employer. During the course of a later audit, Mr Skelton copied payroll data of 99,998 Morrisons employees to a personal USB stick and posted the data on a file sharing website. He later sent a CD containing the data to three newspapers in the UK and was subsequently convicted for a criminal offence in respect of such. Proceedings On foot of the data breach, a class action was taken against Morrisons by over 5,000 employees. The Claimants claimed that, in failing to prevent this data breach, Morrisons was liable for breaches of the Data Protection Act 1998 (the “Act”), misuse of private information, and/or breaches of confidence. Alternatively, they argued that Morrisons were vicariously liable for Mr Skeltons misuse of private information and/or breaches of confidence. High Court Judgment Langstaff J determined that although Morrisons itself had not mishandled or misused the data, it was vicariously liable for the breach. The decision was appealed to the Court of Appeal. The Court of Appeal In upholding the decision of Langstaff J, the Court of Appeal held that; “notwithstanding that Mr Skelton had committed the Breach: (1) from a personal computer; (2) at home; and (3) outside of working hours; there was a ‘seamless and continuous sequence’ or ‘unbroken chain’ of events linking back to his employment”. The Court of Appeal held that an employer could be held vicariously liable even where the intention of the employee committing the relevant act was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party. Therefore, the employee's motive in committing the relevant act is irrelevant. Impact The judge in this case seemed to acknowledge the far reaching implications of his judgment. He noted that there have been many instances of large scale data breaches which could lead to a large number of claims against companies for “ruinous amounts”. So what steps did the judge advice companies to take? Somewhat unusually, the judge seemed to suggest that companies should insure against such claims. He stated: “The solution is to insure against such catastrophes: and employers can likewise insure against losses caused by dishonest or malicious employees…..the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward… on behalf of Morrisons”. In addition to insurance, employers are well advised to safeguard information from being released into the public domain by either third parties or employees by ensuring they have the requisite organisational and technical measures in place to ensure that the personal data is appropriately secured and these measures should be monitored regularly. It is understood that Morrisons intends to seek leave to appeal the decision of the Court of Appeal. The Court of Appeal decision can be found here. For further information on employment or data protection law please contact Barry Walsh or Julie Austin on 018280600.