Judgment handed down in landmark Morrisons data breach appeal

The Supreme Court has allowed Morrisons’ appeal, finding that the supermarket was not vicariously liable for data breaches caused by a disgruntled employee

02 April 2020

The much anticipated decision from the Supreme Court, handed down yesterday, overturns the Court of Appeal decision in WM Morrisons Supermarket PLC v Various Claimants [2018] EWCA Civ 2339.

The Court of Appeal had previously confirmed that organisations can be vicariously liable for data breaches caused by rogue employees, even where the organisation has taken appropriate measures to comply with its data protection obligations. The effect of the Court of Appeal’s decision would have meant that the supermarket would have been exposed to a large number of compensation claims and the case would have set a precedent for future victims of data breaches to argue an employer is vicariously liable for the actions of a former employee.

Instead, the Supreme Court said that the decisions of previous courts and the Court of Appeal were 'contrary to the established approach to questions of this kind, and were based on a misunderstanding of this court’s decision’.

The facts

In 2013, Andrew Skelton, then a senior IT auditor of Morrisons, had been subject to unrelated disciplinary proceedings, which apparently led him to harbour a grudge against Morrisons. Mr Skelton downloaded the payroll data of 100,000 Morrisons employees onto a personal USB stick and subsequently uploaded the data onto a public file sharing website in January 2014. The facts of the case are detailed in our previous article from last year.

More than 5,000 Morrisons employees affected by the breach then sought compensation from Morrisons. Two lower courts ruled that the supermarket did not have ‘primary liability’ but was vicariously liable for the breach. Morrisons then challenged that decision but the Court of Appeal upheld the original decision, leaving the Supreme Court as the final means of redress.

The ruling

A panel of five judges decided that Morrisons could not be held ‘vicariously liable’ for the actions of Mr Skelton.

The question as to whether Morrisons was vicariously liable for Mr Skelton’s actions hinged on whether 'Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.'

The judges agreed that 'Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.' And that 'Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.'

The case confirms that employers could only be held liable for the actions of employees if they were ‘closely connected’ with their duties at work.

This article is written by Olivia Ward.

Key contact

Andrew Dunlop

Andrew Dunlop Partner

  • Head of Outsourcing
  • Head of Technology
  • Head of Data Protection

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more