Supermarket chain Morrisons has this week told the Supreme Court in London that it is not liable for a data breach way back in 2014.
The supermarket is seeking to overturn a Court of Appeal ruling in 2018 that supported a lawsuit from 5,518 current and former employees.
The case centres around a damaging data breach in 2014, when disgruntled internal auditor Andrew Skelton posted online personal details of staff that included salary data.
Skelton was jailed for eight years in 2015 for obtaining the names, addresses, bank account details and salaries of roughly 100,000 employees and posting them online.
He is due to be released from prison in January.
Skelton also sent the data to a number of newspapers who then alerted the supermarket.
But the supermarket has consistently argued that it is not responsible for the actions of a rogue employee, and has taken the case right up to the Supreme Court.
“In relation to vicarious liability, we say the legal test is whether there is a sufficiently close connection between the wrongful conduct of the employee and what he was employed to do, assessed by ref to job function, time, when did he carry out the acts, the geography, where did he carry out the acts and motive,” Lord Pannick QC, working on behalf of Morrisons, was quoted as saying by the Register.
“It’s not sufficient for the claimants to show that the employment provided the opportunity for the wrongdoing,” Lord Pannick reportedly said.
“When Mr Skelton downloaded the data onto his personal USB he had metaphorically taken off his uniform,” said Lord Pannick. “He wasn’t acting or purporting to act on behalf of his employer or for the purpose of his employment.
Essentially, the case comes down to a simple question. Was former Morrisons auditor Andrew Skelton acting “in the course of his employment” when he copied nearly 100,000 people’s payroll data to a USB stick and dumped it on a hidden Tor site?
It be noted that Morrisons wasn’t the only British supermarket to suffer a data breach in 2014.
That same year thousands of online Tesco customers had to have their accounts deactivated after user details were leaked and posted online.
Do you know all about security? Try our quiz!
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
US prosecutors confirm earlier reports, demand Google sells off Chrome web browser and end default…
View Comments
Vicarious liability tricky one. If its a criminal act rather than negligent and one that the employer would not reasonably expect to occur, after all auditors are meant to be trustworthy, then it would seem unfair to penalise them.
However if they knew he was disgruntled then maybe there is a case?