[BreachExchange] Morrisons not liable for massive staff data leak, court rules
Destry Winant
destry at riskbasedsecurity.com
Thu Apr 2 10:27:14 EDT 2020
https://www.theguardian.com/business/2020/apr/01/morrisons-is-not-liable-for-massive-staff-data-leak-court-rules
The UK’s highest court has ruled that Morrisons should not be held
liable for the criminal act of an employee with a grudge who leaked
the payroll data of about 100,000 members of staff.
The supermarket group brought a supreme court challenge in an attempt
to overturn previous judgments which gave the go-ahead for
compensation claims by thousands of employees whose personal details
were posted on the internet.
A panel of five justices unanimously ruled on Wednesday that Morrisons
was not “vicariously liable” for the actions of Andrew Skelton, who
disclosed staff information online and also sent it to newspapers.
Announcing the decision via live-stream, the court’s president, Lord
Reed, said Skelton had leaked the data because of a “grudge” after he
was given a verbal warning following disciplinary proceedings.
The judge said employers could only be held liable for the actions of
employees if they were “closely connected” with their duties at work.
He said: “In the present case, Skelton was not engaged in furthering
Morrisons’ business when he committed the wrongdoing in question. On
the contrary, he was pursuing a personal vendetta, seeking revenge for
the disciplinary proceedings a month earlier.
“In these circumstances, applying the established approach to cases of
this kind, his employer is not vicariously liable.”
A statement issued by Morrisons after the ruling said: “The theft of
data happened because a single employee with legitimate authority to
hold the data also held a secret and wholly unreasonable grudge
against Morrisons and wanted to hurt the company and our colleagues.
“We are pleased that the supreme court has agreed that Morrisons
should not be held vicariously liable for his actions when he was
acting alone, to his own criminal plan and he’s been found guilty of
this crime and spent time in jail.
“A court has already found that Morrisons was not responsible for any
direct wrongdoing in respect of this data theft.”
In July 2015, Skelton was found guilty at Bradford crown court of
fraud, securing unauthorised access to computer material and
disclosing personal data, and was jailed for eight years.
Nick McAleenan, a partner and data rights specialist lawyer for JMW
Solicitors, who represented the group of 9,000 claimants in the
landmark class action against Morrisons, said: “My clients entrusted
their personal information to their employer, Morrisons, in good
faith.
“When their information was subsequently uploaded to the internet by a
fellow employee, it caused an enormous amount of upset and distress to
tens of thousands of people.
“The supreme court’s decision now places my clients, the backbone of
Morrisons’ business, in the position of having no legal avenue
remaining to challenge what happened to them.
“My clients are of course hugely disappointed by the decision, which
contradicts two earlier unanimous findings in their favour.”
The decision overturns previous rulings in the high court and court of
appeal, which held that Morrisons was vicariously liable for Skelton’s
actions.
More information about the BreachExchange
mailing list