Morrisons ruled not liable for employee data leak by Supreme Court

The leak of Morrisons payroll data was found to have been the fault of Andrew Skelton, an employee with a grudge.

Skelton revealed the information of fellow Morrisons employees online, as well as selling it to newspapers, after receiving disciplinary action.

Many members of staff whose data was revealed made claims for compensation, but the Supreme Court ruled that employers could only be vicariously liable for their employees’ actions if they were “closely connected” to their duties at work.

Steve Farmer, partner and data privacy lawyer at Pillsbury Winthrop Shaw Pittman, said that the landmark verdict “fires a warning shot toward the burgeoning class action culture developing in the UK.

“The case represents a milestone victory and a watershed moment for companies who could otherwise be subject to compensation claims on a potentially vast scale, through no fault of their own; it will have a significant residual effect for years to come.

“Employers must bear in mind that when an employee is deemed to be acting on behalf of an employer and a breach is suffered, the company will still be on the hook for breaches.

The comprehensive IT security guide for CIOs and CTOs

Information Age’s IT security guide for CIOs, covering everything from how to implement an effective cyber security strategy to how to respond to the security skills crisis. Read here

“The distinguishing feature in this case is that the rogue employee was considered to be acting on his own behalf. The net result is that the door is still open for vicarious liability claims being brought in class action cases”

Peter Church, TMT counsel at Linklaters, commented: “This judgment will be a relief for UK businesses, but is largely restricted to its facts, and there are still a large number of other class actions for data breaches in progress.

“The threat of significant liability for data breaches remains.”

This is not the only prominent data breach of employee data to come to light this week; the login credentials of two members of staff at Marriott International was recently used to compromise the data of 5.2 million guests.

“The more interesting issue was not whether Morrisons was liable, but the compensation each employee would have received if they had been liable,” Church continued.

“Many employees would have struggled to show they had suffered any actual loss or harm suggesting their compensation should be minimal. This is relevant to the other outstanding class actions, but following the dismissal of this claim, we may have to wait longer for the answer.”


Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.