On 22 October 2018, the supermarket chain Morrisons lost its appeal to the High Court ruling that it is liable for a data breach that resulted in thousands of its employees’ personal data being posted online. The Court of Appeal’s (CoA) judgment can be found here.

Over 5,000 Morrisons’ employees brought a class action in the High Court after a company employee, Andrew Skelton, stole personal data, which included payroll information of almost 100,000 employees, including names, addresses, bank account details and salaries (see our previous blog on the High Court decision here).

Morrisons argued that Mr Skelton’s actions were insufficiently closely connected for it to be liable, as he perpetrated the act in his own home, on a personal computer and a number of weeks after he had stolen the personal data. The CoA rejected this, and was instead of the view that Mr Skelton’s actions fell “within the field of activities assigned to him” by Morrisons and that there was an unbroken chain of events linking his role as an employee to the disclosure of the personal data.

The CoA also rejected Morrisons’ argument that it was not vicariously liable on the basis that Mr Skelton’s motive was to harm his employer, and not to benefit himself in some way or inflict harm on a third party. All three of the CoA judges therefore agreed with the High Court that Morrisons was vicariously liable for the data breach.Continue Reading Morrisons loses appeal against class action data breach