Morrisons Not Liable for Breach Caused by Rogue EmployeeEmployees' Attempt to Receive Financial Compensation Dismissed by Supreme Court
Britain's Supreme Court on Wednesday ruled that supermarket giant Morrisons is not liable for a data breach caused by a rogue employee.
"Whilst the Supreme Court ruled that an employer can be legally responsible - under the principle of ‘vicarious liability’ - for data breaches caused by their employees, it also ruled that in the particular situation at hand, Morrisons was not vicariously liable for the actions of their rogue employee in this case," says attorney André Bywater, who's a partner at London-based Cordery (see: GDPR: Data Breach Class Action Lawsuits Come to Europe).
Morrisons is the U.K.'s fourth largest grocery store chain, accounting for about 10 percent of all grocery sales.
Lawsuit Filed Over Data Leak
More than 5,000 staff joined the lawsuit against Morrisons after one of its employees - senior internal auditor Andrew Skelton - in 2014 leaked personal information that he'd improperly retained, including salaries and bank details, for nearly 100,000 employees.
After receiving a verbal warning for minor misconduct in July 2013, Skelton took revenge by posting information for 99,998 of Morrisons’ employees onto a file-sharing website in January 2014, and two months later sending a CD with copies of the data anonymously to three newspapers. Exposed data included employees' names, addresses, gender, birthdates, phone numbers, National Insurance numbers, as well as bank sort codes, bank account numbers and details of their salary.
None of the newspapers published the information, and one alerted police. An investigation traced the stolen information to Morrisons' PeopleSoft human resources database and back to Skelton, who was arrested. In 2015, he was sentenced to serve eight years in prison.
Subsequently, a group of employees sued Skelton, as well as Morrisons, on the grounds of vicarious liability, alleging that the supermarket chain had breached its duty under the Data Protection Act, which was in effect at the time of the crime, before the updated DPA that complies with the EU's General Data Protection Regulation came into effect in May 2018.
A judge subsequently ruled that Morrisons wasn't primarily responsible for the breach, but it did have some vicarious liability. Morrisons appealed the decision, but it was dismissed by the Court of Appeal.
Morrisons: No Vicarious Liability
On Wednesday, however, the Supreme Court ruled that both courts had misunderstood the principles underlying vicarious liability, and ruled in Morrisons' favor, saying the responsibility for the breach rested solely with the rogue employee.
"The fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability," the Supreme Court wrote in its ruling. "An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta."
Morrisons has welcomed the Supreme Court's decision.
“The theft of data happened because a single employee with legitimate authority to hold the data also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues," the company says in a statement.
“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail. A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft."
Morrisons says that once the theft of data was discovered, it worked to get it removed from the internet within hours, offered protection for employees' bank accounts and promised to cover any direct losses.
"In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss" as a result of the breach, it says.
What This Case Means for Others
"Although this was a victory for this particular employer due to the given facts of the case, on the core legal issue of vicarious liability, this ruling still leaves employers potentially exposed for the wrongdoing of others," Cordery's Bywater says. "In the Court of Appeal ruling, it was declared that the solution was for organizations to be properly insured - albeit in the context of that court’s decision that Morrisons was vicariously liable for Skelton’s actions - but this is easier said than done."
In addition, any breaches that have occurred since GDPR has come into effect could face different legal tests, although Bywater emphasizes that he's purely speculating on what might happen.
"Under GDPR there is a very strong emphasis on organizations having ‘technical and organizational measures’ in place to ensure GDPR compliance, including with regard to keeping data secure," he says. "Whilst the law was similar pre-GDPR, it could be argued that employers should be more conscious of technical and organizational measures such as access rights and data loss prevention, now that GDPR is in force."
At a minimum, Bywater says, all organizations should ensure they have in place sufficient access rights and data loss prevention capabilities, set policies and ensuring compliance, hone data breach detection and response capabilities, potentially monitor employees in trusted roles, as well as carry cyber insurance.