Journalist
Share this content

Supreme Court hears Morrisons defence of rogue auditor data breach

Supermarket chain Morrisons has made a final bid in the UK’s top court to shrug off vicarious liability claims that it is responsible for a massive data breach by a disgruntled auditor who leaked staff payroll details online.

13th Nov 2019
Journalist
Share this content
Morrisons supermarket
elliot_brown_aw

Facing the UK’s Supreme Court on Wednesday 6 and Thursday 7 November, retailer Morrisons said it was ultimately not to blame for the actions of Andrew Skelton, a former senior internal auditor who posted the financial details of 100,000 employees of the business online in a grudge attack.

More than 9,000 individuals in the suit WM Morrison Supermarkets plc v Various Claimants are now seeking compensation in the UK’s first data breach class action, and experts say the “potentially ruinous” compensation case should serve as a warning to all businesses over their data security procedures.

“This is a classic case of an angry employee seeking revenge for an alleged slight,” said Matt Lock, technical director at data security platform Varonis. “When workers hand their sensitive data over to their employer, they put their trust in that company to protect it from criminals both inside and outside the organisation. It only takes one bad seed with enough data access to create a costly nightmare for a company.”

Morrisons was first judged to be vicariously liable in a High Court ruling in 2017, and in October 2018 the Court of Appeal upheld the original verdict of the High Court.

The supermarket then applied to the Supreme Court for permission to appeal, which was granted on April 15, 2019. The case was heard in front of five justices, led by Lady Hale.

Since the previous Court of Appeal case, a further 3,747 claimants have added their name to the list of those seeking recompense, now taking the total to 9,263.

The final ruling, not due until next year, could cause Morrisons to pay enormous sums of compensation despite none of the victims suffering financial losses from the leak.

White stuff

Skelton’s wrath at his former employer was triggered when he was disciplined for spilling white powder in the company post-room, which investigating police first believed to be cocaine.

The substance turned out to be slimming formula that Skelton was selling in a side-hustle from the retailer’s Bradford headquarters. However, the incident was enough for Morrisons to suspend the auditor for six weeks.

During this time, the court was told that Skelton’s grudge festered, and upon finding he retained some access to sensitive employee data, he copied and pasted payroll information including bank account details, dates of birth, salary information, NI numbers, addresses and phone numbers, onto a USB stick.

In December 2013, after assisting KPMG with an audit using the data, Skelton posted it online to a file-sharing website in January 2014, before attempting to anonymously alert the police and media.

Morrisons admitted at the time that corporate system failures or employees’ negligence could lead to a large number of claims for “potentially ruinous amounts” but said that the solution is to insure against such catastrophes.

“Morrisons’ employees were obliged to hand over sensitive personal and financial information and it is their case that they had every right to expect it to remain confidential,” said Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors. “Instead, they were caused upset and distress by the copying and uploading of the information to the internet.”

McAleenan is representing the claimants, alongside Jonathan Barnes and Victoria Jolliffe, barristers at 5rb chambers.

Vicarious liability

The underlying High Court decision that Morrisons was vicariously liable for the data leak stunned the supermarket, whose procedures, processes and systems were found to be solid enough that they dodged direct liability for the breach.

Under English law, vicarious liability refers to a situation where someone is held responsible for the actions or omissions of another person, and in the case of a business is indirectly responsible for the negligence of an employee.

The retailer was given short shrift by the Court of Appeal, which felt the case hinged on the vicarious liability angle, but Morrisons eventually found a path to defend itself again.

The supermarket’s defence is that there was not a sufficiently close connection between Skelton’s wrongful conduct and what he was employed to do in order to justify a ruling of vicarious liability.

Defending Morrisons, Lord Pannick QC, of Blackstone Chambers, said all that linked Skelton’s conduct to his employment “is that his criminal plan began at work”.

Pannick said the auditor accessed to the payroll data for “a specific and limited purpose” and “downloading the data onto his personal USB stick was well outside the scope of his job functions”.

The QC said electronic data is extremely susceptible to abuse, and “there are important limits on data controllers’ ability to safeguard data against employees’ misuse”, as the act of monitoring how data is used could involve interfering with privacy rights.

The claimants argue, however, that Skelton never stopped being a Morrisons employee even while he was the data controller of the stolen data.

“Is the owner of a motor vehicle liable for the damage caused by it by another party who may have stolen it?” said data security expert Tara Taubman-Bassirian, of consultancy DataRainbow. “This is a hugely complex matter that also calls for a rethink of data protection insurance.”

An extensive list of authorities imposing vicarious liability on innocent employers in a range of situations ranging from theft to sexual abuse was noted in court.

If the claim is ultimately successful, there will be a further hearing to consider the damages, lawyers said, which will address the central question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.

“If the Court of Appeal’s decision stands it will likely pave the way for future data breach-related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable,” said Andrew Moir, head of Herbert Smith Freehills’ global cybersecurity practice.

Replies (10)

Please login or register to join the discussion.

avatar
By CMPACDGDB
14th Nov 2019 10:41

Options: 1) Go back to paper to make copying large volumes more difficult; 2) Take USB ports off all corporate computers; 3) Make systems so that only FD can copy any data; 4) Insure; 5) Give up and go home and let the business die: is that really what the regulators want? We fund them and running us into shutting our businesses will inflict a tax-take own-goal!
Reminds me of the question: Why is it called "common sense"? Answer: because it isn't common...

Thanks (1)
Replying to CMPACDGDB:
avatar
By unclejoe
14th Nov 2019 11:03

You are right, it is impossible to completely prevent such things from happening. Companies need to show that they are addressing the risks and adopting best practices for prevention, and should not be penalised if they can demonstrate that they adhere to best practise. But we need to recognise that individuals who commit this sort of crime are doing harm to society, not just the company they target, and the penalties need to be severe and well publicised as a deterant to others. 12 years in jail and appearing on the 10 o'clock news should help. But it won't happen.

Thanks (0)
avatar
By rememberscarborough
14th Nov 2019 10:57

I guess the law is of the opinion that where there's blame there's a claim and it is a good money earner for the industry.

Simply put it's the individual who is to blame and the people who have "suffered" should be suing him but then they and their legal representatives wouldn't get as much out of him would they....

Thanks (1)
Nefertiti
By Nefertiti
14th Nov 2019 11:33

Interesting case, so what happened to the villain Skelton? After all, it was he who stole the information and made it public.

Thanks (2)
Replying to Nefertiti:
avatar
By AdamC2112
14th Nov 2019 12:23

Jailed for 8 years in 2015, so probably out by now.

Thanks (3)
Replying to AdamC2112:
Nefertiti
By Nefertiti
14th Nov 2019 15:45

But, but, but.....I have checked this twice on my calculator, 2015 plus 8 years means he should still be in jail until 2023. Do you think the judges need new calculators cause they obviously can't add up for peanuts. I guess crime does pay in Great Britain if people get let off so easily after serving only half their sentences.

On a serious note, I just dusted off the cobwebs from my memory of vicarious liability and as far as I recall from the bit of law in my early studies, a company is only held vicariously liable for the actions of an employee who was obviously acting as an AGENT for the company at the time of the offense.

In this case, Skelton stole the data and then posted it online out of personal vengeance, no way was he acting as an agent for the company.

So how on earth is Morrisons even held vicariously liable? What type of twisted justice is this? We need to shake up these useless judges (turds) most of whom are well past their sell by dates and just prolong cases unnecessarily.

Thanks (1)
avatar
By flightdeck
14th Nov 2019 12:20

If I was the class-actioners I would hire some data security experts and have them examine Morrison's data protection polices and systems. There is a huge amount you cant do to reduce the risk of data abuse and a lot of companies are far, far away from best practice. I feel really let down by this - there always seems to a technicality that gets them off the hook or a general throwing of the hand in the air and 'what can you do' attitude. We need more expert witness brought into these cases.

Thanks (0)
Replying to flightdeck:
avatar
By tedbuck
15th Nov 2019 17:02

I think Flightdeck is being unrealistic. Even NASA gets hacked and if you have a disgruntled employee determined to shaft your company they will find a way to do it.
The correspondent who said that the end is for all the employees to lose their jobs and the business to go bust has it in a nutshell. The whole GDPR is a complete farce. Common sense should prevail but in the tick box world we live in there's a fat chance of that.

Thanks (0)
Replying to flightdeck:
avatar
By tedbuck
15th Nov 2019 17:02

I think Flightdeck is being unrealistic. Even NASA gets hacked and if you have a disgruntled employee determined to shaft your company they will find a way to do it.
The correspondent who said that the end is for all the employees to lose their jobs and the business to go bust has it in a nutshell. The whole GDPR is a complete farce. Common sense should prevail but in the tick box world we live in there's a fat chance of that.

Thanks (0)
avatar
By davidbrewster
18th Nov 2019 15:28

As a business manager I get payroll data requests from auditors and they certainly do not require the vast amount of detail (bank accounts, NHI numbers etc.) as sent by Morrisons and that is what caused the issue. Surely only summaries are sufficient.

Thanks (0)