On 22 October 2018, the supermarket chain Morrisons lost its appeal to the High Court ruling that it is liable for a data breach that resulted in thousands of its employees’ personal data being posted online. The Court of Appeal’s (CoA) judgment can be found here.
Over 5,000 Morrisons’ employees brought a class action in the High Court after a company employee, Andrew Skelton, stole personal data, which included payroll information of almost 100,000 employees, including names, addresses, bank account details and salaries (see our previous blog on the High Court decision here).
Morrisons argued that Mr Skelton’s actions were insufficiently closely connected for it to be liable, as he perpetrated the act in his own home, on a personal computer and a number of weeks after he had stolen the personal data. The CoA rejected this, and was instead of the view that Mr Skelton’s actions fell “within the field of activities assigned to him” by Morrisons and that there was an unbroken chain of events linking his role as an employee to the disclosure of the personal data.
The CoA also rejected Morrisons’ argument that it was not vicariously liable on the basis that Mr Skelton’s motive was to harm his employer, and not to benefit himself in some way or inflict harm on a third party. All three of the CoA judges therefore agreed with the High Court that Morrisons was vicariously liable for the data breach.
The CoA’s decision makes it clear that employers can be held vicariously liable, even if they take preventative steps and have no criminal liability. Organisations can therefore find themselves exposed to data breaches, even if they had no direct knowledge of the action resulting in such liability.
It is critical that organisations ensure that all parts of the business are subject to the highest levels of technical and organisational controls. Further, if companies are to be exposed to such liabilities, it highlights the need to have sufficient insurance in place to alleviate potential financial burdens, such as those that Morrisons now faces.
Morrisons has stated that it will appeal the decision of the CoA to the Supreme Court. We will monitor the progression of the case and provide any updates in our blogs.