Home Knowledge Into The Breach: Morrisons Not Vicariously Liable For Rogue Employee’s Deliberate Data Breach

Into The Breach: Morrisons Not Vicariously Liable For Rogue Employee's Deliberate Data Breach


Yesterday we discussed the highly awaited Supreme Court decision in WM Morrison Supermarkets plc v Various Claimants UKSC 12 here. The Supreme Court found that Morrisons was not liable for a data breach which was deliberately caused by a rogue employee. An employee of Morrisons had leaked payroll data concerning thousands of employees to a file-sharing website and to various newspapers. However, the threat of liability for businesses as a result of the actions of their employees in this context has now diminished following this Supreme Court decision. 

What Happened?

In November 2013, Morrison’s senior IT auditor, Mr Skelton, downloaded payroll data he was entrusted with at work onto a personal USB stick. In January 2014, in an attempt to harm Morrisons, Mr Skelton uploaded the data onto a file-sharing website and later sent the information to various newspapers. The personal data of thousands employees was leaked.  These employees issued a class action against Morrisons for damages for breach of the United Kingdom’s Data Protection Act, misuse of private information and breach of confidence. The data breach took place prior to GDPR coming into force. The employees claimed that Morrisons should be held vicariously liable for the data breach deliberately caused by Mr Skelton. 

As we discussed previously both the High Court and the UK Court of Appeal found that Morrisons was vicariously liable for the actions of its former employee.  Morrisons appealed this judgment and the UK Supreme Court overturned the decision finding that Morrisons was not vicariously liable. 

Disclosure of Data Not an Authorised Act

The Supreme Court found that the online disclosure of the data did not fall within the employee’s “field of activities”, as it was not an act which he was authorised to do. In this case, the employee was authorised to transmit the payroll data to the auditors. The wrongful disclosure of the data committed by the employee was held not to be so closely connected with this job that it could fairly and properly be regarded as made by the employee while acting in the ordinary course of his employment.

Claims for Data Breaches

Although this decision relates to an incident that occurred prior to GDPR, this case has been decided in the post-GDPR climate and will have persuasive authority in the Irish Courts. The UK Supreme Court found in favour of Morrisons in this matter, holding that it should not be exposed to serious financial consequences as a result of the rogue employee’s conduct. 

However, GDPR and the Data Protection Act 2018 make it easier for individuals to bring claims regarding data breaches, as they allow compensation to be awarded to data subjects for non-material loss, such as emotional distress arising from the loss of personal data. Businesses will need to have controls in place to prevent and mitigate the risk of data breaches.

However, this decision is welcomed by businesses as it limits the imposition of vicarious liability on employers in relation to data breaches which could be carried out by their employees. 

Contributed by Alexandra Drummy