Grocery giant Morrisons has urged the Supreme Court to overturn a ruling that found it vicariously liable for a data breach carried out by a disgruntled employee, in the latest twist in the UK’s first data leak group action.
WM Morrison Supermarkets plc v Various Claimants concerns a security breach in which personal data of more than 100,000 staff was posted online. More than 5,000 employees are claiming for compensation.
Payroll data was stolen and later published by Andrew Skelton, a senior internal auditor, who held a grudge against his employer. Skelton subsequently received an eight-year jail sentence.
For Morrisons, Lord Pannick QC, of Blackstone Chambers, said that Skelton’s wrongdoing was not within the field of activity assigned to him by Morrisons. There was not a sufficiently close connection between Skelton's wrongful conduct and what he was employed to do to justify a ruling of vicarious liability.
Skelton, Pannick said, had access to the payroll data for ‘a specific and limited purpose’ and ‘downloading the data onto his personal USB stick was well outside the scope of his job functions’.
He continued: ‘Even if the court were to conclude that the act of downloading the data was within his field of activity we say the act of disclosing the data two and four months later…cannot sensibly be said to be within his field of activity – far less to be closely connected to his job function’.
‘All that links Mr Skelton’s conduct to his employment is that his criminal plan began at work.’
Pannick also stressed that electronic data is ‘very susceptible to abuse’. He said ‘there are important limits on data controllers’ ability to safeguard data against employees’ misuse’ as the act of monitoring how data is used could involve interfering with privacy rights.
The hearing, which is due to last for two days, continues this afternoon. Five justices led by Lady Hale are hearing the case.
Morrisons is represented by international firm DWF while the claimants are represented by Manchester firm JMW Solicitors.