View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
October 23, 2018

Morrisons Loses Data Breach Appeal: A “Serious Warning” for Business Leaders

Court finds "an unbroken thread linked Skelton’s employment to the disclosure as a 'seamless and continuous sequence of events'"

By CBR Staff Writer

Supermarket Morrisons has been held “vicariously liable” for a former employee leaking personal information of some 100,000 members of staff, in a ruling that has sent shivers up the spine of CIOs and CISOs around the country.

It lost its appeal yesterday in a landmark High Court ruling following the UK’s first data protection class action, made by 5,518 claimants. The Bradford-based chain has vowed to appeal against the Court of Appeal’s ruling.

The outcome has significant implications for all data controllers and data processors as Morrisons was held vicariously liable even though, overall, it had discharged its own obligations as required under the Data Protection Act 1998 and common law.

morrisons data caseMorrisons Data Case: What’s the Background?

The case was launched after workers’ personal details were leaked online by IT employee Andrew Skelton in 2014.

Skelton, who was jailed for eight years in July 2015 for his actions, leaked details including salaries, dates of birth and more.

If the supermarket continues to lose its appeals, it will have to pay substantial compensation to 5,518 claimants.

The Ruling: No Primary Liability, But… 

The initial landmark ruling in January this year found that Morrisons had no “primary liability”. Vicarious liability depended on whether a sufficient connection existed between the actions of Skelton and the “course of [his] employment.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The court found, as law firm Allen & Overy emphasises, that there was a sufficient connection because:

an unbroken thread linked Skelton’s employment to the disclosure as a “seamless and continuous sequence of events”;
> Morrisons deliberately entrusted Skelton with the data during the course of his employment; and
> Morrisons tasked Skelton with receiving, storing and disclosing the data therefore, his actions (albeit unlawful) were closely related to the task he was given.

“A Serious Warning” for Business Leaders

Oz Alashe, CEO of cybersecurity awareness and training platform, CybSafe, told Computer Business Review in an emailed statement: “This failed appeal serves as a serious warning for business leaders across the country.”

He added: “Organisations now have a far greater duty of care to protect users and prevent the unlawful activities of disgruntled staff. They must be far more careful about what information staff have access to across every part of the business. For very large organisations in particular, this ruling drastically complicates their requirements to guard against the risk of data security breaches.”

Lesley Holmes, Data Protection Officer at MHR, added: “This case highlights the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.