U.K. supermarket chain Morrisons has lost its appeal to overturn a 2017 judgment that found it “vicariously liable” for a malicious data breach that saw a disgruntled former employee release the personal and financial details of nearly 100,000 staff. The company says it will now take the battle to the Supreme Court.

Morrisons had argued it could not be held liable for the criminal misuse of its data, but three U.K. Court of Appeal judges rejected the company’s appeal and upheld the original December 2017 decision, finding that while Morrisons was not directly liable for the data breach, the company was “vicariously liable” for the rogue employee’s actions as he had control of the data and was acting in the course of his employment.

Some 5,518 former and current employees brought a class-action claim against the company in October 2017 after Andrew Skelton, a senior IT auditor, stole the data—which included names, addresses, National Insurance numbers, bank account details, and salaries—and deliberately leaked it online and to local newspapers following a disciplinary matter in 2014.

The case “highlights the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused.”
Lesley Holmes, Data Protection Officer, MHR

Skelton had been accused of dealing so-called “legal highs” at work. Disciplined, but not dismissed, he stole the data as part of a grudge against the company. He was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.

Lawyers acting for the claimants said the data theft meant they were exposed to the risk of identity theft and potential financial loss. They added that the company was also responsible for breaches of privacy, confidence, and data protection laws—despite the fact that the U.K.’s data regulator, the Information Commissioners’ Office, which had originally investigated the case, had found that Morrisons had processes and procedures in place to protect personal data, no harm was done to any data subject, and the breach was the criminal act of an employee acting in bad faith.

The supermarket chain has said that the breach cost it £2 million (U.S. $2.6 million) to rectify.

Morrisons, which claimed in the original trial that it was “an innocent party,” will now appeal to the Supreme Court. If that appeal fails, however, those affected will be able to claim compensation for “upset and distress”—even without proof of financial loss.

Takeaways for compliance

The Court of Appeal’s decision to reject Morrisons’ appeal means that organisations need to improve their controls, processes, and vetting around company data, as well as who should have access to it. They also need to accept that they are likely to be held accountable for breaches in future.
Both the High Court and the Court of Appeal have held that the systems and processes that Morrisons had in place to protect personal data were entirely adequate. Despite this, however, the court still found that while the company was not primarily responsible for the breach—it was acknowledged to be an entirely malicious act—it is still deemed legally liable for it.
Consequently, compliance officers should assume that their organisations are likely to be held legally responsible for any breach of data, as the issue of “vicarious liability” can be interpreted widely and means that organisations can be held accountable for the unexpected actions of employees.
—Neil Hodge

The Morrisons case is especifally significant, as no other organisation has ever been held vicariously liable for a data breach in the past twenty years in the United Kindgom. Says Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, which represents the claimants: “The judgment is a wakeup call for business.”

In a statement, he added: “The claimants are obviously delighted with the Court of Appeal’s ruling. The Judges unanimously and robustly dismissed Morrisons’ legal arguments. These shop and factory workers have held one of the U.K.’s biggest organisations to account and won—and convincingly so. This latest judgment provides reassurance to the many millions of people in this country whose own data is held by their employer.”

Many lawyers had predicted that Morrisons’ appeal would be successful, and several had said that the original decision was “troubling” and “daunting,” because it meant that the risk of liability had broadened and that employers were effectively left “wide open” to individuals acting maliciously.

Lesley Holmes, data protection officer at HR and payroll analytics firm MHR, says that the case “highlights the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused.”

In a statement, the supermarket chain said: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues”

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues, and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible, so that’s why we will now appeal to the Supreme Court.”