Morrisons Tells Supreme Court It Is Not Liable For Breach

Supermarket chain Morrisons has this week told the Supreme Court in London that it is not liable for a data breach way back in 2014.

The supermarket is seeking to overturn a Court of Appeal ruling in 2018 that supported a lawsuit from 5,518 current and former employees.

The case centres around a damaging data breach in 2014, when disgruntled internal auditor Andrew Skelton posted online personal details of staff that included salary data.

Morrisons breach

Skelton was jailed for eight years in 2015 for obtaining the names, addresses, bank account details and salaries of roughly 100,000 employees and posting them online.

He is due to be released from prison in January.

Skelton also sent the data to a number of newspapers who then alerted the supermarket.

But the supermarket has consistently argued that it is not responsible for the actions of a rogue employee, and has taken the case right up to the Supreme Court.

“In relation to vicarious liability, we say the legal test is whether there is a sufficiently close connection between the wrongful conduct of the employee and what he was employed to do, assessed by ref to job function, time, when did he carry out the acts, the geography, where did he carry out the acts and motive,” Lord Pannick QC, working on behalf of Morrisons, was quoted as saying by the Register.

“It’s not sufficient for the claimants to show that the employment provided the opportunity for the wrongdoing,” Lord Pannick reportedly said.

“When Mr Skelton downloaded the data onto his personal USB he had metaphorically taken off his uniform,” said Lord Pannick. “He wasn’t acting or purporting to act on behalf of his employer or for the purpose of his employment.

Liable or not?

Essentially, the case comes down to a simple question. Was former Morrisons auditor Andrew Skelton acting “in the course of his employment” when he copied nearly 100,000 people’s payroll data to a USB stick and dumped it on a hidden Tor site?

It be noted that Morrisons wasn’t the only British supermarket to suffer a data breach in 2014.

That same year thousands of online Tesco customers had to have their accounts deactivated after user details were leaked and posted online.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • Vicarious liability tricky one. If its a criminal act rather than negligent and one that the employer would not reasonably expect to occur, after all auditors are meant to be trustworthy, then it would seem unfair to penalise them.

    However if they knew he was disgruntled then maybe there is a case?

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago