Supermarket chain Morrisons has this week told the Supreme Court in London that it is not liable for a data breach way back in 2014.
The supermarket is seeking to overturn a Court of Appeal ruling in 2018 that supported a lawsuit from 5,518 current and former employees.
The case centres around a damaging data breach in 2014, when disgruntled internal auditor Andrew Skelton posted online personal details of staff that included salary data.
Skelton was jailed for eight years in 2015 for obtaining the names, addresses, bank account details and salaries of roughly 100,000 employees and posting them online.
He is due to be released from prison in January.
Skelton also sent the data to a number of newspapers who then alerted the supermarket.
But the supermarket has consistently argued that it is not responsible for the actions of a rogue employee, and has taken the case right up to the Supreme Court.
“In relation to vicarious liability, we say the legal test is whether there is a sufficiently close connection between the wrongful conduct of the employee and what he was employed to do, assessed by ref to job function, time, when did he carry out the acts, the geography, where did he carry out the acts and motive,” Lord Pannick QC, working on behalf of Morrisons, was quoted as saying by the Register.
“It’s not sufficient for the claimants to show that the employment provided the opportunity for the wrongdoing,” Lord Pannick reportedly said.
“When Mr Skelton downloaded the data onto his personal USB he had metaphorically taken off his uniform,” said Lord Pannick. “He wasn’t acting or purporting to act on behalf of his employer or for the purpose of his employment.
Essentially, the case comes down to a simple question. Was former Morrisons auditor Andrew Skelton acting “in the course of his employment” when he copied nearly 100,000 people’s payroll data to a USB stick and dumped it on a hidden Tor site?
It be noted that Morrisons wasn’t the only British supermarket to suffer a data breach in 2014.
That same year thousands of online Tesco customers had to have their accounts deactivated after user details were leaked and posted online.
Do you know all about security? Try our quiz!
Industrial dispute of Samsung workers in India escalates, as tech giant warns of no pay…
National security move. Ukraine reportedly bans Telegram on state-issued devices due to Russian security threat
X at risk of $900,000 daily fine, as Justice de Moraes calls out “willful, illegal…
Discover the evolution of AI in the Silicon UK AI For Your Business Podcast: Turing’s…
Explore the latest trends in E-commerce with the Silicon UK In Focus Podcast. Discover how…
Chasing the almighty dollar. Alphabet's YouTube reportedly confirms it is delivering adverts on a user's…
View Comments
Vicarious liability tricky one. If its a criminal act rather than negligent and one that the employer would not reasonably expect to occur, after all auditors are meant to be trustworthy, then it would seem unfair to penalise them.
However if they knew he was disgruntled then maybe there is a case?