Employers could be vicariously liable for an employee’s misuse of data even if they have done all they reasonably can to prevent it and are not legally at fault, the UK’s first data leak group action case has determined.

In a decision today, the High Court allowed a compensation claim by thousands of staff at supermarket chain Morrisons and said the company should be found liable for the actions of a former staffer who stole personal data from swathes of employees before posting it online.

In Various Claimants v Wm Morrisons Supermarket PLC, Mr Justice Langstaff said although Morrisons was not directly liable it was vicariously liable for the actions of the ex-employee.

The case follows a security breach in 2014 when Andrew Skelton, then a senior internal auditor at the retailer’s Bradford headquarters, leaked payroll data. The court heard Skelton harboured a ‘considerable grudge’ after an incident in which he was accused of dealing ‘legal highs’ at work.

Skelton was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data. Morrisons spent more than £2 million on measures to tackle the breach. 

But the group action claim said Skelton’s actions meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.

Langstaff ruled that Morrisons was vicariously liable, though he added that primary liability had not been established. He gave permission for Morrisons to appeal.

JMW Solicitors represented the claimants while Morrisons was represent by global firm DWF.

Nick McAleenan, a partner and data privacy law specialist at JMW, said: ‘Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people.’

A Morrisons spokesperson said the judge found that Morrisons was not at fault in the way it protected staff data but that the law holds it responsible for the actions of the former employee. ’Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss,’ they said.