Morrisons victorious in data breach litigation - Supreme Court decision released today

Today has finally seen the Supreme Court release their judgment in the long running Morrisons data breach litigation.

It started in 2013 when Andrew Skelton, a member of Morrison’s internal audit team, legitimately copied 100,000 employees records in the course of his employment. He proceeded to make a further copy and later leaked them in an act of vengeance against Morrisons for disciplining him in an unrelated matter. It was Skelton’s intention to cause financial damage to Morrisons. Skelton was subsequently convicted and jailed for eight years for his actions.

Almost 10,000 victims of Skelton’s actions brought a case against Morrisons. Initially the case was both one of primary liability and vicarious liability. The Claimants lost on primary liability at first instance as Morrisons had done all they reasonably could to have prevented such a breach taking place. However, the judge found in favour of the Claimants on the point of vicarious liability although the judge was seemingly troubled by the concept of the Court assisting a criminal in achieving his goal of causing financial damage to Morrisons. The matter was appealed to the Court of Appeal who upheld the decision of the Court of first instance.

The matter was further appealed to the Supreme Court and heard over two days in November 2019. The judgment was released today (1st April 2020) and the Court has unanimously allowed Morrison’s appeal finding that both the court of first instance and the Court of Appeal misunderstood the principles governing vicarious liability and the concept of close connection.

Lord Reed gave the only judgment in which the Court found the disclosure by Skelton was not part of his “field of activities” as he was not acting in the ordinary course of his employment. There has to be a close connection between the disclosure and Skelton’s authorised duties as opposed to just a causal connection. The Court further said it was very relevant that Skelton was acting for purely personal reasons as opposed to acting in his employer’s business, he was pursuing a vendetta against Morrisons. The fact his employment gave him the opportunity to commit the wrongful act is not sufficient to impose vicarious liability.

Although the Court had made its decision in favour of Morrisons on the issue of vicarious liability it nevertheless considered a secondary argument pursued by Morrisons. That of whether the Data Protection Act 1998, the relevant law in force at the time, implicitly excluded vicarious liability. The Court’s view was this argument was not persuasive and vicarious liability was not excluded. This was largely irrelevant as the Court had already allowed Morrison’s appeal on the above.

Does this mean we cannot be sued for the acts of our employees?

The answer is yes you can still be sued if you have failed to put in place appropriate technical and organisational measures that would have, on the balance of probabilities, prevented such a breach then the issue of vicarious liability will not arise as you will likely be primary liable.

One of the most common appropriate organisational measures I often see missing that could well prevent an employee committing a data breach, whether malicious or accidental, is staff training. It is very important all staff that handle or have access to any personal data receives annual data protection training. If this is not in place it may well be you would not be able to rely upon the Morrison’s case as a defence as you way well be primary liable. Indeed, if you ever have had the unfortunate task of reporting a breach to the Information Commissioner’s Office you will see one of the questions on the form asks whether the person involved has had any recent data protection training.

To summarise, if a rogue employee steals data and leaks that data in a way which was not part of their normal work activities and there is no close connection then as long as you have done all you reasonably could to prevent this occurring, including training, you are likely able to rely upon the Morrison’s case as a defence.

If the data breach occurred as a result of an accidental act of an employee, then you are unlikely to be able to use the Morrisons case as part of any defence. It would still be equally important to be able to show you have provided data protection training to the employee involved.

About the author

John Green is a senior lawyer who specialises in data protection, cyber security and civil litigation. He is in house lawyer at Green CDL and provides legal advice to organisations faced with legal claims. John has studied at the prestigious Harvard Law School and more recently at Harvard Kennedy School and the Defence Academy of the United Kingdom. John is also a keen ethical hacker, cyber security and data protection trainer and public speaker.

Green CDL offers cyber security and data protection training, consultancy and advice. We provide Cyber Essentials certification and IAPP approved data protection training for professionals.