Supreme Court finds Morrisons not liable for 2014 data breach

Supreme Court finds Morrisons not liable for 2014 data breach

Morrisons store

In a unanimous decision, the Supreme Court has ruled that Morrisons' employees won’t receive any compensation from the supermarket chain for the massive data breach took place in 2014.

Back in 2014, to settle an old grudge against his employer, Andrew Skelton, an internal auditor at Morrisons' Bradford office, leaked personal and financial information of nearly 10,000 Morrisons staff on the web.

The High Court was approached by 5,518 current and former staff at Morrisons who demanded compensation from the supermarket chain for the distress they suffered following the data breach. The breach had compromised names, NI numbers, birth dates and bank account details of nearly 10,000 current and former Morrisons staff.

Skelton was sentenced to eight years after being found guilty of leaking personal details of Morrisons employees, and Morrisons was also awarded £170,000 in compensation by the court. However, in December 2017, the High Court ordered Morrisons to pay compensation to 5,518 current and former employees whose personal and financial details were exposed in 2014.

Following the High Court's ruling, Morrisons said that they would appeal the ruling as the company had incurred significant expenses to minimise the damage caused by the breach. The supermarket chain approached the Supreme Court judges and hoped for a favourable verdict.

Supreme Court said DPA 1998 does not apply the principle of vicarious liability to employers

Earlier this week, a panel of five judges at the Supreme Court passed a unanimous decision, ruling that Morrisions wasn’t liable for the data breach. Lord Reed, president of the Supreme Court, told BBC that "Skelton was not engaged in furthering Morrisons' business when he committed the wrongdoing in question."

The Supreme Court relied on Morrisons' argument that the Data Protection Act 1998 did not apply the principle of vicarious liability to employers or data controllers when their employees committed data breach offenses. "Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to KPMG and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test," it noted.

Nick McAleenan, a lawyer represented the affected employees, told BBC that "the Supreme Court's decision now places my clients, the backbone of Morrisons' business, in the position of having no legal avenue remaining to challenge what happened to them... The Supreme Court effectively decided that where a wrongdoer leaks data with the specific intention to harm their employer, the employer may not be held vicariously responsible."

After the verdict of Supreme Court was reached, the supermarket giant published a statement saying "We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan, and he's been found guilty of this crime and spent time in jail."

Copyright Lyonsdown Limited 2021

Top Articles

Facebook's lawsuit against ban on EU-US data transfers dismissed

The High Court in Ireland has dismissed Facebook's lawsuit against the Irish DPC's decision to ban it from transferring the data of EU residents to the US.

DarkSide extracts $4.4m ransom from German chemical distribution company

The DarkSide ransomware group extracted a ransom payment of $4.4 million in Bitcoin from Brenntag, a German chemical distribution company.

HSE ransomware attack: All you need to know

Ireland's HSE suffered a Conti ransomware attack that forced it to shut down all IT systems, and cancel non-essential appointments.

Related Articles