Privacy & Data Security Law News

Morrisons Wins U.K. Supreme Court Ruling Over 2014 Data Breach

April 1, 2020, 9:48 AM

The U.K.’s top court ruled that a British supermarket can’t be held responsible for a data breach by a disgruntled employee who leaked personal details of thousands of staff members online.

Wm Morrison Supermarkets Plc isn’t liable for the employee’s actions, the Supreme Court said Wednesday in a unanimous ruling that allows the grocery chain’s appeal.

“The decisions of the courts below were contrary to the established approach to questions of this kind, and were based on a misunderstanding of this court’s decision” in a previous case, the court said in a ruling that was read out over video link.

More than 5,000 Morrisons workers were seeking compensation over the 2014 incident, in which their personal details were posted online. Two lower courts had ruled -- in the first class action over a data leak -- that the retailer didn’t have “primary liability” but was vicariously liable.

Former employee Andrew Skelton was engaged “in a personal vendetta,” the Supreme Court said. In such a case “his employer is not vicariously liable.”

Skelton, a senior IT auditor at the company, leaked payroll data of almost 100,000 employees in 2014. He’s been convicted over the data leak and sentenced to an eight-year prison term.

Nick McAleenan, a lawyer at JMW Solicitors who represented Morrison’s employees, said his clients were “hugely disappointed” by the ruling.

“The Supreme Court’s decision now places my clients, the backbone of Morrisons’ business, in the position of having no legal avenue remaining to challenge what happened to them,” he said in an emailed statement.

But, he said, the ruling did mean that businesses can be found liable for some types of data breaches, a decision that will mean broader protection for workers and consumers.

“Staff have lost their claim, but through their legal action they have enhanced the data rights of everyone in the U.K.,” he said.

Morrisons said it had removed the information from the internet when it discovered Skelton’s action, and offered protection to employees’ banking accounts and other financial data.

“The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues,” Morrisons said in an emailed statement, saying it was pleased with the final outcome.

To contact the reporters on this story:
Jonathan Browning in London at jbrowning9@bloomberg.net;
Stephanie Bodoni in Luxembourg at sbodoni@bloomberg.net

To contact the editors responsible for this story:
Anthony Aarons at aaarons@bloomberg.net

Christopher Elser

© 2020 Bloomberg L.P. All rights reserved. Used with permission.

To read more articles log in. To learn more about a subscription click here.