Morrisons staff who had personal details leaked online by an employee pursuing a “vendetta” against the supermarket giant will not receive any compensation following a Supreme Court ruling.
The UK’s highest court ruled on Wednesday that the company should not be held liable for the criminal acts of Andrew Skelton – an internal auditor who leaked the payroll data of around 100,000 members of staff in “revenge” for being given a verbal warning.
The ruling overturned previous judgments which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet and sent to newspapers.
Lawyers for a group of 9,000 claimants who brought the landmark class action against Morrisons said they were “hugely disappointed” by the ruling, adding it leaves them with no hope of securing damages for the leak of their data.
Nick McAleenan, a partner and data rights specialist lawyer for JMW Solicitors, who represented the group, said: “My clients entrusted their personal information to their employer, Morrisons, in good faith.
“When their information was subsequently uploaded to the internet by a fellow employee, it caused an enormous amount of upset and distress to tens of thousands of people.
“The Supreme Court’s decision now places my clients, the backbone of Morrisons’ business, in the position of having no legal avenue remaining to challenge what happened to them.
“My clients are of course hugely disappointed by the decision, which contradicts two earlier unanimous findings in their favour.
“The claimants, of course, respect the decision, but the troubling part of this conclusion is that the wrongdoer in this case also wanted to damage his own colleagues, not just Morrisons, and he did so in dramatic fashion.”
Mr McAleenan said that despite losing overall, the claimants had won on an important aspect of the case regarding employers’ liability for data breaches caused by employees.
He said: “This ruling enhances the protection of data for millions of people in this country who are obliged to hand over their own information to businesses every single day. It will raise standards.
“Morrisons’ staff have lost their claim, but through their legal action they have enhanced the data rights of everyone in the UK.”
A panel of five justices unanimously concluded that Morrisons was not “vicariously liable” for Skelton’s actions, with the court’s president Lord Reed stating employers can only be held liable for the actions of employees if they are “closely connected” with their duties at work.
Lord Reed said: “In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question.
“On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier.
“In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”
In a statement issued after the ruling, Morrisons said: “The theft of data happened because a single employee with legitimate authority to hold the data also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.
“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan, and he’s been found guilty of this crime and spent time in jail.
“A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft.
“We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged.
“In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.”
The decision overturns previous rulings in the High Court and Court of Appeal, which held that Morrisons was vicariously liable for Skelton’s actions.
It was argued on behalf of Morrisons that if those findings were allowed to stand, the company, although “entirely blameless”, would be exposed to “compensation claims on a potentially vast scale”.
The latest round of the litigation at the Supreme Court followed a blow for Morrisons at the Court of Appeal in October 2018, when three leading judges upheld a 2017 High Court finding on the issue of liability.
Legal action was launched after a security breach in 2014 when Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of around 100,000 employees.
Information included their names, addresses, bank account details and salaries.
Lawyers for the claimant group previously described the action as a “classic David and Goliath case”.
They sought compensation for the upset and distress caused in a case with potential implications for every individual and business in the country.
In July 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years.