Morrisons is not “vicariously liable” for a data leak which exposed payroll data of 100,000 staff according to a landmark Supreme Court ruling.
The Supreme Court ruled via livestream today that a previous decision that Morrisons must pay compensation to thousands of employees should be overturned.
In 2014 lawyers for more than 9000 claimants brough legal action against Morrisons after payroll data, names, addresses and bank account details of 100,000 employees was leaked online and to newspapers by a senior internal auditor Andrew Skelton.
It was ruled that Morrisons was vicariously liable for Skelton’s actions, who was found guilty of securing unauthorised access to computer material and disclosing personal data and sentenced to eight years in 2015.
After losing a previous challenge to the ruling in 2017, five justices voted unanimously to overturn the decision today.
Morrisons argued that if the ruling was allowed to stand despite being “entirely blameless”, it would have to pay out “compensation claims on a potentially vast scale”.
Judges decided that Skelton held a “grudge” against the company after being given a verbal warning following disciplinary proceedings, and that Morrisons could only be held liable for the actions of its employees if it was “closely connected” with their duties.
Supreme Court president Lord Reed said: “In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question.
“On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier.
“In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”
Morrisons said in a statement: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.
“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail.
“A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft. We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.”
Partner at JMW Solicitors Nick McAleenan, who represented the claimants, added: “My clients entrusted their personal information to their employer, Morrisons, in good faith. When their information was subsequently uploaded to the internet by a fellow employee, it caused an enormous amount of upset and distress to tens of thousands of people.
“The Supreme Court’s decision now places my clients, the backbone of Morrisons’ business, in the position of having no legal avenue remaining to challenge what happened to them.
“My Clients are of course hugely disappointed by the decision, which contradicts two earlier unanimous findings in their favour.
“The Supreme Court effectively decided that where a wrongdoer leaks data with the specific intention to harm their employer, the employer may not be held vicariously responsible. The Claimants, of course, respect the decision, but the troubling part of this conclusion is that the wrongdoer in this case also wanted to damage his own colleagues, not just Morrisons, and he did so in dramatic fashion.”