Grocery Liability: Morrisons appeal to Supreme Court over Data Breach

May 7, 2019

3 min read

Sign up to our mailing list! 👇

What's going on here?

The Supreme Court has granted permission to Morrisons for its appeal against the Court of Appeal judgment in Morrison Supermarkets PLC v Various Claimants. This could be a landmark case in the area of vicarious liability for employers.

What does this mean?

Former Morrisons employee Andrew Skelton (who worked there as a senior internal auditor) caused a security breach in 2014 by leaking payroll data (read our original report on the leak here). Skelton was found guilty of fraud as he disclosed personal staff data, and was jailed for 8 years.

In December 2017, in the UK’s first data leak group-action, Mr Justice Langstaff in the High Court of London concluded that a company can be held vicariously liable in respect of data breaches caused by its employees. The effect of this judgement is that a company can be held liable to compensate victims for loss (including non-pecuniary loss such as distress) caused by a data breach. This may be the case even where the company has taken preventative measures and has committed no wrongdoing itself. Nicola Fulford (a partner at Hogan Lovells) said it was “somewhat surprising” that Morrisons lost on vicarious liability, given that Skelton had been convicted of a criminal offence.

In October 2018, the Court of Appeal unanimously affirmed the High Court’s decision. After this, the supermarket’s only chance of appeal was through application to the Supreme Court.

Nick McAleenan (a partner at JMW Solicitors, representing the victims of the breach) has described the situation as a “classic David and Goliath case”. He said that “it cannot be right that there should be no legal recourse where employee information is handed in good faith to one of the largest companies in the UK and then released on such a large scale.” On the other hand, Beth Hale (technical director at CM Murray, a specialist employment law firm) said that many employers will find it surprising that they could be liable for the malicious actions of a disgruntled ex-employee.

What's the big picture effect?

Recently there have been legislative changes made by the EU General Data Protection Legislation (GDPR) that heighten data protection. As well as this, there’s now an increased awareness of data protection from the public. This case could contribute to a rise in class-action cases from workers or customers in the event of a data breach.

The Court of Appeal suggested that insurance could be the answer to an employer’s complaints about the effects of its decision. Cyber-insurance typically covers claims for breaches of confidential information. However, cyber insurance is a relatively new concept in the UK with limited claims experience. It remains to be seen whether insurance will be effective in offsetting the increased risk that organisations face with regards to data breaches.

However, it is now in the hands of the Supreme Court to either uphold or overturn this decision. Tim Smith (Head of Technology, Media and Telecoms at law firm BLM) said, “whilst this means that Morrisons gets another chance to make its case, it may face an uphill struggle having lost in the High Court and Court of Appeal, and with a body of case law that seems to go against it. Nonetheless, many businesses and their insurers will be hoping that the appeal succeeds.”

For now, we’ll all have to watch and wait…

Report written by Erin S

If you’d like to write for LittleLaw, click here!

Share this now!