Supreme Court: Morrisons Could Be Liable for Data Leak

In 2014 a disgruntled Morrisons senior internal auditor, Andrew Skelton, allegedly stole and shared financial details, including payroll data, of 100,000 of the company’s employees with the public. The employee was arrested and sentenced to eight years in prison, but the supermarket has since been in discussion over serious fines and vicarious liability for the data leak.

The final ruling from the Supreme Court could see Morrisons paying out potentially tens of thousands of pounds in compensation to around 9,000 employees, victims of the breach, suing it.

Morrisons defence against the liability claim is that, according to Lord Pannick QC, of Blackstone Chambers, there was not a sufficiently close connection between Skelton’s wrongful conduct and what he was employed to do to justify a ruling of vicarious liability. Skelton’s access to the financial data in question is said to have been “limited” and “all that links Mr Skelton’s conduct to his employment is that his criminal pl an began at work.”

According to The Register, barrister Jonathan Barnes told the Supreme Court during the most recent hearing: “Cutting to the chase, it’s not a case where the office cleaner finds a thumb drive, picks it up and takes the opportunity to make some use of it.”

“Morrisons [argues that it] is not the data controller,” he said, continuing: “So if we strip out the words ‘data controller’ from Morrisons’ description of itself at paragraph 97 of [its filed] case, we’re left with ‘innocent compliant employer’. But the condition of being an innocent compliant employer certainly does not ordinarily exempt an employer from a finding of vicarious liability.”

The recent hearing comprised many previous case studies, and several examples of analogies pertaining to case law, but in the end Morrisons, and all those following this case, will have to wait until 2020 for the final verdict.