Court of Appeal hold Morrison’s liable for Data breach

Last week, the Court of Appeal considered Wm Morrison Supermarket Plc’s (“Morrison’s”) appeal against the earlier High Court decision which held them liable for a data breach which was the result of a Morrison’s disgruntled employee’s actions. It was announced on Monday that Morrison’s have lost their Court of Appeal challenge against that decision which held them liable for the employee’s acts. This case is highly significant, given that it leaves organisations open to vicarious liability for the acts of “rogue employees” who may access and/or leak data after the end of their employment.

What happened?

The perpetrator of the data breach was the former senior internal auditor at Morrison’s’ Bradford headquarters, Andrew Skelton. In 2014, he leaked the personal data of other Morrison’s employees following an earlier incident, where he was accused of dealing “legal highs” at work. The data leaked included the names, addresses, bank account details and salaries of over 100,000 employees. Skelton circulated the information online and also disclosed the information to newspapers.

As far as criminal implications for Skelton, he received an eight year prison sentence in 2015. He was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.

The High Court Ruling

The High Court held Morrison’s liable for the data breach perpetrated by Andrew Skelton and found that staff were entitled to be compensated as a result of their personal information being disclosed in this manner.

Morrison’s were deemed to be vicariously liable for the acts of Skelton, in spite of the fact that his acts constituted criminal activity. This was because he was seen to be “acting in the course of his employment” when he disclosed the data.

The Appeal

Morrison’s appealed against the High Court’s judgment on the basis that they ought not to have been held vicariously liable for the acts of Skelton. The appeal was heard by three judges in the Court of Appeal who supported the High Court’s previous judgment – therefore refused Morrison’s appeal – and found that Morrison’s were vicariously liable for the acts of Skelton

In a statement following the hearing, Morrison’s stated that they “worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.” Further, they have stated that they are unaware of any individual having sustained direct financial loss as a result of the breach. Therefore, they have indicated that they will appeal this decision to the Supreme Court.

The Court of Appeal judges referred to frequent corporate data breaches which have occurred in the past few years due to systems failures and negligence. Recognising that these may lead to compensation claims for “potentially ruinous amounts,” they said that the way forward for organisations is to “insure against such catastrophes” and losses caused by rogue employees.

The text of the Court of Appeal’s judgment has not yet been released and therefore we await the release of this in order to ascertain the full rationale for the Court of Appeal’s decision.

Practical Implications

This judgment is highly significant for a number of reasons. Firstly, it is the first class action to have been brought in the UK concerning a data breach.

Secondly, Nick McAleenan, representative of the employees, said “the judgment is a wake-up call for business.”

The judgment serves as an important warning for organisations as it illustrates that organisations may be held to be responsible for the behaviour of a “rogue employee” if that behaviour is deemed to be carried out in the course of their employment.

This article was co-written by Charlotte Fleming.

Technology, Media & Telecoms

With very few areas not impacted by technology, media and telecoms, we remain focused on ensuring we stay ahead of the curve in advising clients of the ever-increasing body of law, regulation and policy affecting the sector.

Latest updates from @MacRoberts

  • MacRoberts is recruiting! We currently have a vacancy for a Senior solicitor/associate to join our Private Client… 10 hours ago
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… 23/06/2021
  • Would you like to work at one of Scotland’s leading law firms? We currently have a number of opportunities availabl… 21/06/2021
  • We currently have a vacancy for a Customer Due Diligence Administrator based in Glasgow or Edinburgh. Please shar… 18/06/2021
  • Maya Forstater received a lot of media attention around her tweets relating to her beliefs about sex, resulting in… 18/06/2021
  • Applications for our traineeships starting in 2023 are now open! Get your legal career off to the best possible sta… 18/06/2021
  • RT @DundeeAndAngus: Leading Scottish commercial law firm, @MacRoberts has advised BAM on the ‘game-changing’ Atlantic Square development in… 16/06/2021
  • This week on our new IGTV mini-series, giving an insight into what it’s like to begin a legal career during the pan… 16/06/2021
  • Self-employed status: What does the Uber case really mean? 🚖 Kenny Scott explains what the recent ruling means for… 16/06/2021
  • What is the Scottish #gin industry doing to improve #sustainability? Following #WorldGinDay celebrations over the w… 15/06/2021
  • The European Commission has adopted & published versions of two new sets of Standard Contractual Clauses. What ch… 15/06/2021
  • What impact could Ireland High Court's decision to reject an action by Facebook to block an inquiry by the Irish… 14/06/2021
  • Wishing all of our followers a happy #WorldGinDay! ICYMI: Earlier this week, we were delighted to catch up with… 12/06/2021
  • We're #hiring! We have a #vacancy for a Senior #Solicitor or Associate to join our IP, Technology & Commercial team… 10/06/2021
  • Dealing with an employee's misconduct when that employee contends it is linked to a disability can be tricky - read… 09/06/2021