The breach occurred in 2014 when payroll data on thousands of Morrisons employees was leaked on a file-sharing website by Andrew Skelton, a member of its internal audit team.
A number of the affected employees subsequently brought proceedings against Morrisons personally and on the basis of what is termed vicarious liability for the acts of the employee.
Their lawsuit made claims for breach of statutory duty under the Data Protection Act (DPA) of 1988, misuse of private information and breach of confidence, and although at trial a High Court judge agreed that Morrisons was not primarily responsible, it was vicariously responsible because Skelton had acted in the course of his employment.
In its unanimous judgment, the Supreme Court said previous judgments had fundamentally misunderstood the principles governing vicarious liability in a number of ways, most notably because disclosing the data online did not fall under Skelton’s “field of activities”, and that it was highly material if Skelton was acting under instruction from Morrisons or for personal reasons.
Because Skelton was authorised to be in possession of the data and to send it to Morrisons’ external auditors, the fact that he then leaked it was not so closely connected with that task that it could fairly be seen as carried out in the course of his duties, and the fact that he was able to do so was not sufficient to warrant the imposition of vicarious liability – that is to say, a company cannot really be liable for a personal vendetta against it.
A spokesperson for Morrisons said: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.
“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he has been found guilty of this crime and spent time in jail. A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft.
“We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.”
James Seadon, a cyber security expert and IP and technology partner at law firm Fieldfisher, said: “The Supreme Court’s decision will be welcomed by employers in clarifying the scope of their vicarious liability for the acts of employees when it comes to data breaches.
“Nonetheless, although this may be seen to have relaxed the view of the Court of Appeal, it is critical – particularly in the fortified regulatory environment of GDPR [General Data Protection Regulation] and the DPA [Data Protection Act] 2018 – that businesses remain vigilant as to these risks. Relying on legal argument alone will not address the menace of data breaches.
“Employers continue to assess the technical and organisational measures they have in place to protect personal and other data. These might include locking down USB ports, preventing access to unauthorised webmail and filesharing sites and adding access controls to key information, as well as ensuring that such policing does not tip the scales when it comes to privacy and that appropriate policies are in place to support the chosen approach.
“Similarly, this litigation and the interest in it has demonstrated the power of collective actions in the wake of data breaches. It is already clear that this is a growing area of law and we expect that trend to continue.”