Case Update: Morrisons Data Leak Ruling

Dan Dowen, a solicitor in the commercial department at Berry Smith, provides an update on this week’s breaking news surrounding the Morrisons’ data leak.

The Court of Appeal upheld a High Court decision that Morrisons is liable for a data breach that resulted in thousands of their employees’ details being posted online by a disgruntled employee. The case is the first data leak class action in the UK.

The facts of the case relate to Andrew Skelton, a senior internal auditor at the supermarket’s Bradford Headquarters, who felt aggrieved over the results of what he thought was an unfair disciplinary and wanted to take revenge. This led him to steal personal data relating to thousands of employees, including names, addresses salaries and banking details and then posting the information online.

The claimants, who are both current and former employees, brought legal action against Morrisons stating that this leak poses a risk to their rights and freedoms that could result in identity theft and/or financial loss.

Mr Skelton was subsequently jailed for 8 years in 2015 after being found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.

Despite this latest decision by the Court of Appeal, Morrisons argued that they could not be held liable for the criminal misuse of its data. However, the Court of Appeal said that Morrisons was “vicariously liable for the torts committed by Mr Skelton against the claimants”. “Vicarious liability” is the legal term for holding someone responsible for someone else’s actions.

Having failed to convince Court of Appeal judges that it should not be held responsible for the actions of a rogue employee, a Morrisons spokesperson said “Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

This verdict could result in making employers vicariously liable for employee’s actions even if they have taken preventative steps and as such has resulted in a split opinion within the legal industry. Some lawyers found the result surprising given that Mr Skelton has already been convicted of a criminal offence whereas others believe that Morrisons should bear the risk and assume the liability for the actions of its employees, as long as its related to the task at hand or in the course of employment. However, it is clear that a decision by the Supreme Court is needed in order to bring clarity to this area of law.

In the meantime, many organisations will be wondering what actions they can take in an attempt to protect themselves. Some tips include:

  • Regular reviews of internal controls, protocols, policies and systems currently in place, ensuring that they are adequate and fit for purpose;
  • Ongoing, training of staff in data protection and confidentiality;
  • Be aware of any change to an employee’s state of mind and whether this would impact on their day to day processing activities;
  • Check insurance policies to confirm they cover against compensation claims by data subjects.

Whilst this case took place pre-GDPR, GDPR introduced the principle of accountability which is an ongoing obligation to ensure an organisation is responsible for complying with the GDPR. However, it is not enough to only comply, you must now demonstrate your compliance.

The GDPR makes it clear that data protection and privacy should be a key cornerstone of any organisation, with regular ongoing reviews of the systems in place, ensuring that they contain the appropriate technical and organisational measures to meet the requirements of accountability.

If you are worried that your business is not yet GDPR compliant or would like further advice on data protection or any other commercial issue, please contact Dan Dowen on 02920 345511 or