Last month, the Court of Appeal ruled that the supermarket chain Morrisons is culpable for a data breach conducted by one of its employees. This ruling of ‘vicarious liability’ is a landmark judgement in legislation regarding personal data and has many implications for companies that do not have rigorous data protection policies in place.

Background to the Case

On the 18th November 2013, Andrew Skelton – an employee of the Morrisons supermarket chain – made a copy of the payroll data of nearly 100,000 Morrisons employees. The data consisted of names, addresses, genders, phone numbers, National Insurance numbers and bank account details. Everything a thief might need to steal the identity of a person and gain access to their finances. Mr Skelton was found guilty of stealing the data and jailed for eight years in March 2014.

The employees whose data had been stolen issued a claim for damages against their employer for misuse of private information, breach of confidence and breach of statutory duty under the Data Protection Act (the precursor to the GDPR). The original judgement found that “…as Morrisons did not directly misuse or authorise or carelessly permit the misuse of any information personal to the employees,” the supermarket was not primarily liable for the act of data theft conducted my Mr Skelton. The hearing then looked at whether Morrisons could be considered vicariously liable. 

Vicarious Liability

The judge in the original hearing found that, whilst Morrisons were not primarily liable, the supermarket could be held vicariously liable for the data theft as there was “…a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct.” Basically, Morrisons had not sufficiently vetted Mr Skelton for a job that gave him access to personal data.

Court of Appeal

Morrisons appealed the decision, but the judge’s original decision of vicarious liability was upheld by the Court of Appeal. Morrisons’ appeal was dismissed on the 10th October 2018.

Implications of the Ruling

For Morrisons, who have already shelled out millions of pounds in legal fees, a massive compensation pay-out looms. But the ruling has far wider implications in the business world. It sets the precedent that organisations that are victims of a criminal act of data theft undertaken by a single errant employee will have to pay damages to the affected people. The Court of Appeal stated in their conclusion to the ruling in the Morrisons case that companies should consider taking out insurance against their being hit by a class action of this kind.

At Priviness, we offer courses tailored to meet the international data law compliance needs of your organisation. For more information about our data law compliance training, call us on 0203 2878 243 or email info@priviness.eu.

Join the conversation about privacy law and data breaches on Facebook and Twitter.

Read about the Court of Appeal’s Morrison’s ruling from a cyber security perspective on the Stackhouse Poland Blog.

Back To all catagories