Corporate briefing: employers are at risk from workers with a grudge, following the Court of Appeal ruling in the Morrisons data breach case

On 22 October 2018 the Court of Appeal dismissed Morrisons’ appeal against Mr Justice Langstaff’s High Court ruling that it was vicariously liable for a data breach by an employee: [2018] EWCA (Civ) 2339. The employee, Andrew Skelton, had deliberately disclosed personal data relating to more than 5,000 employees and, by doing so, committed a criminal act and was in breach of an obligation of confidence and, perhaps most importantly, of the Data Protection Act 1998 (“DPA”).

Skelton was a senior IT internal auditor employed by Morrisons. Unknown to Morrisons, he held a grudge against his employer in respect of an earlier disciplinary hearing, where he was given a verbal warning. The data breach occurred when the external auditors, KPMG, asked for a number of categories of data (including payroll data). Skelton was given the USB stick with the data and downloaded the data onto his laptop, before copying the data onto another encrypted USB from KPMG, which he returned to that firm.

Some days later, while at work, he copied the payroll data onto a personal USB, and later posted personal data relating to 99,998 employees on a file sharing site. He also sent CDs anonymously to three national newspapers. Alerted by the newspapers, and within a few hours, Morrisons had alerted the police to ensure the website was taken down. Skelton was subsequently arrested and charged with fraud and offences under the Computer Misuse Act 1990 and DPA, s 55. He was convicted and sentenced to eight years’ imprisonment.

A group action was commenced by 5,518 employees seeking damages for misuse of private information, breach of confidence and breach of the statutory duty owed under DPA, s 4(4). The action claimed Morrisons was primarily liable under those heads of claim or, if not, they were liable vicariously for the wrongful conduct of Skelton.

Basis of liability

At first instance it was held that, save for failing to delete the data after use, Morrisons had provided adequate and appropriate controls. Since Morrisons did not itself misuse the data, the judge therefore dismissed the claim that Morrisons had primary liability. However (and there was a hint of reluctance in this regard), he found Morrisons vicariously liable, as it was responsible for the actions of its employee during the course of his employment.

The Court of Appeal rejected the supermarket’s arguments that (a) the DPA did not cover the wrongful processing of data caused by an employee’s breach; and (b) the test for vicarious liability failed since the employee was not “on the job” at the time of the breach. The court decided that the complete absence of any DPA provision addressing the employer’s position for a DPA breach by an employee, inevitably meant the High Court was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances was not expressly or impliedly excluded by the DPA. It also unanimously agreed that the acts committed were within the field of the activities assigned to Skelton and constituted a “seamless and continuous sequence” or an “unbroken chain” of events, and that there was no exception to the irrelevance of the motive of the employee, even where the motive was to cause further financial and reputational damage to the employer (a point that particularly troubled the court at first instance).


The appeal judges were aware of the potentially catastrophic effects this judgment could have for companies when dealing with data breaches caused either by their system failures or the negligence or wrongful acts of their employees. With the GDPR and the Data Protection Act 2018 now in force, the position is more severe. Section 56 of the Act imposes obligations on data controllers to ensure that appropriate data protection policies and technical and security measures are in place; s 66 imposes obligations on controllers to implement security systems to prevent unauthorised processing; and s 170 makes it an offence to disclose personal data without the consent of the controller.

Article 82 of the GDPR provides the right to claim compensation (for breaches causing material or non-material damage) from data controllers or processors, and the ICO also has power to impose sanctions of up to €20 million or 4% of global annual turnover. Now, more than ever, employers must ensure that their internal policies for employees and contractors are up to date, review their security measures, focusing on encryption and “wiping” devices remotely, and so on. The court’s practical, if somewhat unusual, advice was for businesses to make sure their insurance policies cover such eventualities.

Watch this space, though, as Morrisons intends to appeal to the Supreme Court.

The Author
Sophie Graham, solicitor, Wright, Johnston & Mackenzie LLP
Share this article
Add To Favorites