The Court of Appeal has upheld a verdict that could make employers vicariously liable for employees’ actions even if they had taken preventative steps and bore no criminal responsibility. In a decision in the UK’s first data leak group action, the court upheld a High Court ruling that supermarket chain Morrisons is liable for the actions of former employee Andrew Skelton. 

By upholding the lower court’s determination, the Court of Appeal allowed a group action compensation claim by more than 5,000 staff who had their personal data stolen and put online. The supermarket now faces paying compensation to each of them. 

Morrisons said it will appeal to the Supreme Court.

The case, Various Claimants v Wm Morrisons Supermarket, followed a security breach in 2014 when Skelton, then a senior internal auditor at Morrison’s Bradford headquarters, leaked payroll data. Skelton was jailed for eight years in 2015 after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.

According to claimants, a mixture of former and current employees, the leak exposed them to the risk of identity theft and potential financial loss. The claim alleged Morrisons was responsible for breaches of privacy, confidence and data protection laws.

Although the Court of Appeal unanimously upheld the High Court’s ruling, lawyers are split over the latest verdict.

Nicola Fulford, partner at international firm Hogan Lovells, said it was ‘somewhat surprising’ that Morrisons lost on vicarious liability, given that Skelton had been convicted of a criminal offence.

Beth Hale, technical director at CM Murray agreed that many employers will find it surprising that they could be liable for the malicious actions of a disgruntled ex-employee. She added that the judgment is likely to result in an increase in 'class action' cases against companies where there has been a data breach, particularly where the leak has come from within the company itself.

However, Richard Cumbley, partner at magic circle firm Linklaters, said that ‘well established’ principles clearly point to Morrisons’ responsibility because Skelton’s wrongdoing was ’closely related to what he was tasked to do’ in his job.

Dan Cooper, partner in the global data privacy team at international firm Covington & Burling, agreed. He said the employer should bear the enterprise risk and assume liability for the actions of its employees, as long as they are performed in the course of employment. He added that the result is likely to incentivise employers to try to reduce their exposure, by shifting the risk to third-party insurers, and monitoring staff handling personal data.

However, according to Cumbley, the more interesting outcome will be the level of compensation employees will receive as some may struggle to show they have suffered any actual loss or harm. ‘This was a large breach affecting thousands of employees, but it’s too early to say if this will lead to “vast” liability,’ he said.

A Morrisons spokesperson said: ’Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.’

Morrisons was represented by international firm DWF while the claimants were represented by Manchester firm JMW Solicitors.