Why the Morrisons data leak ruling is a relief for businesses

The Supreme Court ruled on April 1 that the Bradford-based supermarket should not be held “vicariously liable” for the criminal act of an employee with a “grudge” who leaked payroll data of around 100,000 members of staff.

Morrisons brought a Supreme Court challenge in a bid to overturn previous judgements which gave the go-ahead for compensation claims by around 9,000 employees whose personal details were posted on the internet.

Paul Berwin, senior partner at Berwins Solicitors, said he was surprised that the High Court and Court of Appeal held Morrisons vicariously liable.

Mr Berwin added: “A lot of people looking at it from my end of things felt it was wrong. When we were doing seminars about Data Protection, we’ve been bringing this up over the last couple of years.

“This is why you have to be extra vigilant about the protections within your organisations. People were quite shocked that Morrisons would be liable for that but before the Supreme Court got involved, some very clever judges said that they would.”

A panel of five justices unanimously ruled that Morrisons was not liable for the actions of Andrew Skelton, an internal auditor who disclosed staff information on the internet and also sent it to newspapers in “revenge” for being given a verbal warning.

Lord Reed, president of the Supreme Court, said: “In the present case, Skelton was not engaged in furthering Morrisons' business when he committed the wrongdoing in question.

“On the contrary he was pursuing a personal vendetta, seeking revenge for disciplinary proceedings from months earlier.

“In those circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”

The ruling will be a relief for businesses, according to Mr Berwin.

“I’m sure if other claims are brought then people will be going back and looking at this case,” he said.

Directors at Morrisons were asked whether the firm had made any financial provisions that would help pay its costs for the case at their first quarter results.

Michael Gleeson, chief financial officer at Morrisons, said: "No, there was no provision at the end of the year.

"We did disclose that the case was present, but there was no provision at the year end."

The cost of litigation is very expensive particularly if it goes to the High Court, Mr Berwin said.

He added: “A lot of businesses will carry legal expenses insurance and they should carry legal expenses insurance.

“This case may well make it more likely that the insurers will stand behind companies rather than encourage them to settle.”

Since this incident took place, General Data Protection Regulation (GDPR) has come into effect.

The UK legislation that followed it requires companies to have a higher level of accountability.

Mr Berwin said: “Prior to that, particularly because the fines were not very big, companies could be reasonably casual with how they protected personal data.

“They’ve now become a lot more aware of the danger because the financial risk is so much higher.”

Mr Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years in July 2015.