The UK’s highest court has ruled that Morrisons should not be held liable for the criminal act of an employee with a “grudge” who leaked the payroll data of around 100,000 members of staff.
The supermarket giant brought a Supreme Court challenge in a bid to overturn previous judgments which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet.
A panel of five justices unanimously ruled on Wednesday that Morrisons was not “vicariously liable” for the actions of Andrew Skelton, who disclosed staff information on the internet and also sent it to newspapers.
Announcing the decision via livestream, the court’s president, Lord Reed, said Skelton leaked the data because of a “grudge” after he was given a verbal warning following disciplinary proceedings.
The judge said employers could only be held liable for the actions of employees if they were “closely connected” with their duties at work.
He said: “In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question.
“On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier.
“In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”
A statement issued by Morrisons after the ruling said: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.
“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail.
“A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft.
“We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged.
“In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.”
Nick McAleenan, a partner and data rights specialist lawyer for JMW Solicitors, who represented the group of 9,000 claimants in the landmark class action against Morrisons, said: “My clients entrusted their personal information to their employer, Morrisons, in good faith.
“When their information was subsequently uploaded to the internet by a fellow employee, it caused an enormous amount of upset and distress to tens of thousands of people.
“The Supreme Court’s decision now places my clients, the backbone of Morrisons’ business, in the position of having no legal avenue remaining to challenge what happened to them.
“My clients are of course hugely disappointed by the decision, which contradicts two earlier unanimous findings in their favour.”
He added: “The claimants, of course, respect the decision, but the troubling part of this conclusion is that the wrongdoer in this case also wanted to damage his own colleagues, not just Morrisons, and he did so in dramatic fashion.”
The decision overturns previous rulings in the High Court and Court of Appeal, which held that Morrisons was vicariously liable for Skelton’s actions.
It was argued on behalf of Morrisons that if those findings were allowed to stand, the company, although “entirely blameless”, would be exposed to “compensation claims on a potentially vast scale”.
The latest round of the litigation at the Supreme Court followed a blow for Morrisons at the Court of Appeal in October last year, when three leading judges upheld a 2017 High Court finding on the issue of liability.
Legal action was launched after a security breach in 2014 when Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of around 100,000 employees.
Information included their names, addresses, bank account details and salaries.
Lawyers for more than 9,000 claimants have previously described the action as a “classic David and Goliath case”.
They sought compensation for the upset and distress caused in a case with potential implications for every individual and business in the country.
In July 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years.
The Supreme Court was asked to decide whether the Data Protection Act 1998 excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence.
It was also asked to rule on whether the Court of Appeal “erred in concluding that the disclosure of data” by its employee occurred in the course of his employment, for which the company should be held vicariously liable.