How the Morrisons liability case increases risks for employers

The Court of Appeal has ruled this week that Morrisons must pay compensation to thousands of employees who were victims of a data beach in 2014.

The supermarket chain had taken the case to the Court of Appeal following a High Court ruling in 2017 found the retailer legally responsible for the breach.

Following the Court of Appeal’s decision Morrisons has said it will take its fight to the Supreme Court, believing it should not be held vicariously liable for a malicious data leak by a former employee.

Vicarious liability means holding someone or an entity, such as a business, responsible for someone else’s actions – in this case, the malicious activities of a former employee.

Morrisons’ key argument is that they shouldn’t be liable for a malicious breach of this sort, because they had controls in place to protect the data. However, their stance was challenged by more than 5,000 current and former staff affected. So far, the judges have ruled in favour of the latter (see below). If Morrisons loses its battle it faces a vast compensation pay-out.

This case, if upheld by the Supreme Court, will have widespread repercussions for employers. This interpretation of vicarious liability could make them vulnerable to legal action from any individuals impacted by unsanctioned, even criminal, actions of rogue staff members or former employees.

Responding to the Court of Appeal ruling against Morrisons, Nick McAleenan, a partner and privacy law specialist at JMW Solicitors who represents the claimants said, “This judgement is a wake-up call for business. People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims.”

What happened?

Andrew Skelton was a disgruntled former Morrisons employee, disciplined for using the company’s postal facilities for his own use. In 2014, he made a private copy of the company’s entire payroll from an encrypted USB stick (which had been created at the request of external auditor, KPMG). He then posted 99,998 employees’ personal details on a file-sharing site. Skelton went on to link to this from various other places and sent CDs containing the personal data to several newspapers, one of which immediately contacted Morrisons. Skelton was jailed for eight years in July 2015 for fraud, securing authorised access to computer material and unauthorised disclosure of personal data.

The personal data breached included names, addresses, dates of birth, phone numbers, national insurance numbers, bank sort codes and account numbers and salary details.

This case raises a crucial question – what is the extent of corporate liability in cases when employees go rogue?

In brief: Morrisons’ position

Morrisons, unsurprisingly, believe they shouldn’t be held liable for Skelton’s actions. They claimed to have worked swiftly to ensure the personal data was no longer accessible, provided protection for those affected and offered reassurances they wouldn’t be financially disadvantaged.

The supermarket say they are not aware of anybody who suffered any direct financial loss as a result of Skelton’s actions.

Furthermore, Morrisons argues that previous rulings (and indeed this one) never blamed them for not protecting their employees’ personal data and that appropriate security measures were in place. To be held vicariously liable for Skelton’s criminal actions, they say, is grossly unjust.

A spokesperson for Morrisons, following the Court of Appeal Ruling said,“Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.” They went onto say, “We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

In brief: The Claimants’ position

In 2014 more than 5,000 affected individuals (both current and former staff) took a group action against Morrisons. The claimants’ case rests on the point that staff had the right to expect their personal details to remain confidential. A significant data leak led to staff being put at risk of fraud, identity theft and other problems.

Mr McAleenan says, “unsurprisingly, this caused a huge amount of worry, stress and inconvenience.” After the Court of Appeal judgement against Morrisons he said, “This latest judgement provides reassurance to the many millions of people in this country whose data is owned by their employer”.

This case looks set to continue to the highest court in the land, who will be asked to judge again whether Morrisons are vicariously liable or not.

For its part, the Court of Appeal believes the solution for businesses lies with being properly insured, which presumably means companies would be advised to take out cover for vicarious liability.

How businesses mitigate against this extended risk profile remains to be seen – will enhanced vetting and information security regimes be necessary for those entrusted with data, and at what cost?

Update April 2020: In a unanimous ruling, the Supreme Court found Morrisons was NOT vicariously liable for the data breach caused by a disgruntled employee.

Simon Blanchard,  October 2018