The Supreme Court has sided with Morrisons in the UK’s first data leak group action, finding the grocery giant was not vicariously liable for a massive data breach committed by a disgruntled employee.
In a unanimous ruling, five Supreme Court justices today ruled that the Court of Appeal ‘misunderstood the principles governing vicarious liability in a number of relevant respects’, including whether the employee had been acting in his ‘field of activities’ when he committed the crime and whether there was a sufficient connection between his job and his wrongful conduct.
The case concerns a security breach in which personal data of more than 100,000 staff was posted online. In 2013 Andrew Skelton, then a senior internal auditor, was tasked with transmitting payroll data to KPMG: Skelton went on to publish the information online and send it anonymously to UK newspapers.
Skelton, who bore a grudge against the supermarket after being disciplined in July 2013, received an eight-year jail sentence and 5,000 Morrisons employees subsequently brought a group action for compensation.
In a judgment handed down today, the Supreme Court allowed Morrisons’ appeal, finding that the online disclosure of the data was not part of Skelton’s ‘field of activities’, as it was not an act he was authorised to do. It added that ‘although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to KPMG and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test.’
However, the Supreme Court found Morrisons’ argument that the Data Protection Act 1998 (the relevant statute at the time of the breach) excludes imposition of vicarious liability for either statutory or common law wrongs ‘unpersuasive’.
Solicitors say the judgment will be welcomed by UK businesses. Peter Church, TMT counsel at Linklaters, said: ‘This judgment will be a relief for UK businesses but is largely restricted to its facts and there are still a large number of other class actions for data breaches in progress. The threat of significant liability for data breaches remains.’
Nick McAleenan, a partner at JMW Solicitors who represented the claimants, said: ‘The Supreme Court’s decision now places my clients, the backbone of Morrisons’ business, in the position of having no legal avenue remaining to challenge what happened to them… The Supreme Court effectively decided that where a wrongdoer leaks data with the specific intention to harm their employer, the employer may not be held vicariously responsible.’