UK's first data leak group action case

Legalbrief Today Issue 4911

The UK Supreme Court has sided with Morrisons in the UK’s first data leak group action, finding the grocery giant was not vicariously liable for a massive data breach committed by a disgruntled employee. According to a Law Gazette report, in a unanimous ruling, five Supreme Court justices ruled this week that the Court of Appeal ‘misunderstood the principles governing vicarious liability in a number of relevant respects’, including whether the employee had been acting in his ‘field of activities’ when he committed the crime, and whether there was a sufficient connection between his job and his wrongful conduct. The case concerns a security breach in which personal data of more than 100 000 staff was posted online. In 2013, Andrew Skelton, then a senior internal auditor, was tasked with transmitting payroll data to KPMG: Skelton went on to publish the information online and send it anonymously to UK newspapers. Skelton, who bore a grudge against the supermarket after being disciplined in July 2013, received an eight-year jail sentence and 5 000 Morrisons employees subsequently brought a group action for compensation. In a judgment handed down this week, the Supreme Court allowed Morrisons’ appeal, finding that the online disclosure of the data was not part of Skelton’s ‘field of activities’, as it was not an act he was authorised to do. Nick McAleenan, a partner at JMW Solicitors who represented the claimants, said: ‘The Supreme Court’s decision now places my clients, the backbone of Morrisons’ business, in the position of having no legal avenue remaining to challenge what happened to them … The Supreme Court effectively decided that where a wrongdoer leaks data with the specific intention to harm their employer, the employer may not be held vicariously responsible.’

Full Law Gazette report

Full Out-Law.com report

UK Supreme Court judgment