Morrisons wins data breach case in Supreme Court

The Supreme Court has today given its verdict on a landmark data breach case involving Morrisons supermarkets, ruling that it is not liable for the criminal act of an employee who leaked payroll data, and therefore personal data, of thousands of staff members.

The case centres on a senior IT internal auditor who was employed by Morrisons.  He was given an oral warning for misusing his employer’s postal facilities and to get his own back, he copied data containing information about nearly 100,000 members of staff, which he (anonymously) then placed on a file sharing website.

The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details of the staff.

The employee was convicted of fraud, an offence under the Computer Misuse Act 1999 and under section 55 of the Data Protection Act 1998. He was imprisoned for eight years.

Over 5,500 employees brought a joint action against Morrisons seeking damages for the misuse of their personal information.

Whilst none appeared to have suffered any direct financial loss, they claimed for distress, anxiety, upset and damage. One thing to bear in mind is that financial loss is no longer needed to make a claim under the data protection legislation and these things can be claimed without the need to show financial loss. The employees alleged that Morrisons was primarily liable for the breach and, alternatively, it was vicariously liable for the wrongful conduct of its employee.

The Court of Appeal originally ruled that Morrisons was not responsible for the breach but said it was vicariously liable for the deliberate and criminal breaches of payroll data.

However The Supreme Court has overturned this judgment and according to employment lawyers at Irwin Mitchell, the decision will be welcomed by many businesses.

Glenn Hayes, an employment law partner at Irwin Mitchell, said: “The key question for the courts here is was the wrongdoing done ‘in the course of employment’?

“The Court of Appeal had held that the motive of the employee was ‘irrelevant’ and that Morrisons was responsible for the fact that he deliberately uploaded the data of around 100,000 members of staff to a publicly accessible website. The Supreme Court has however said this was wrong and that Morrisons was not liable for its employee’s deliberate acts.

“The test is whether an employee’s wrongdoing is so closely connected with the acts they are authorised to do, such that it can be properly regarded as being done by their employer. In this case, the employee was pursuing a personal vendetta and Morrisons was not responsible for the subsequent fall out.

“Employers will welcome this decision and will be reassured that they won’t usually be responsible for the actions of any member of staff who deliberately inflicts harm on it or their staff. For a while, it had looked as though the scope of vicarious liability was becoming enormously, and dangerously, wide.”

Richard Hayllar, partner at UK law firm TLT, says: “This ruling is obviously a significant one for Morrisons, but will also be welcomed by all large retailers who will likely be breathing a sigh of relief that they won’t be held accountable for the deliberate or malicious acts of rogue employees.

“The success of Morrisons’ Supreme Court challenge in overturning the judgment of the Court of Appeal indicates a sensible and balanced approach to vicarious liability for employers. Most large businesses already have stringent policies, procedures and training in place to prevent the misuse of data, but if the previous judgments had been upheld this would have set an exceptionally high bar for employers to meet.

“The news will not be welcomed by the thousands of employees in this case who have been left without recourse for the misuse of their personal data. We have seen a steady increase in data protection claims brought by claims management companies. While this judgment will now limit their ability to bring actions when there has been a deliberate malicious act by an employee, it will not limit them bringing claims where the employer is at fault. ”