Supreme Court hears Morrisons defence of rogue auditor data breach
Supermarket chain Morrisons has made a final bid in the UK’s top court to shrug off vicarious liability claims that it is responsible for a massive data breach by a disgruntled auditor who leaked staff payroll details online.
Facing the UK’s Supreme Court on Wednesday 6 and Thursday 7 November, retailer Morrisons said it was ultimately not to blame for the actions of Andrew Skelton, a former senior internal auditor who posted the financial details of 100,000 employees of the business online in a grudge attack.
More than 9,000 individuals in the suit WM Morrison Supermarkets plc v Various Claimants are now seeking compensation in the UK’s first data breach class action, and experts say the “potentially ruinous” compensation case should serve as a warning to all businesses over their data security procedures.
“This is a classic case of an angry employee seeking revenge for an alleged slight,” said Matt Lock, technical director at data security platform Varonis. “When workers hand their sensitive data over to their employer, they put their trust in that company to protect it from criminals both inside and outside the organisation. It only takes one bad seed with enough data access to create a costly nightmare for a company.”
Morrisons was first judged to be vicariously liable in a High Court ruling in 2017, and in October 2018 the Court of Appeal upheld the original verdict of the High Court.
The supermarket then applied to the Supreme Court for permission to appeal, which was granted on April 15, 2019. The case was heard in front of five justices, led by Lady Hale.
Since the previous Court of Appeal case, a further 3,747 claimants have added their name to the list of those seeking recompense, now taking the total to 9,263.
The final ruling, not due until next year, could cause Morrisons to pay enormous sums of compensation despite none of the victims suffering financial losses from the leak.
Skelton’s wrath at his former employer was triggered when he was disciplined for spilling white powder in the company post-room, which investigating police first believed to be cocaine.
The substance turned out to be slimming formula that Skelton was selling in a side-hustle from the retailer’s Bradford headquarters. However, the incident was enough for Morrisons to suspend the auditor for six weeks.
During this time, the court was told that Skelton’s grudge festered, and upon finding he retained some access to sensitive employee data, he copied and pasted payroll information including bank account details, dates of birth, salary information, NI numbers, addresses and phone numbers, onto a USB stick.
In December 2013, after assisting KPMG with an audit using the data, Skelton posted it online to a file-sharing website in January 2014, before attempting to anonymously alert the police and media.
Morrisons admitted at the time that corporate system failures or employees’ negligence could lead to a large number of claims for “potentially ruinous amounts” but said that the solution is to insure against such catastrophes.
“Morrisons’ employees were obliged to hand over sensitive personal and financial information and it is their case that they had every right to expect it to remain confidential,” said Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors. “Instead, they were caused upset and distress by the copying and uploading of the information to the internet.”
McAleenan is representing the claimants, alongside Jonathan Barnes and Victoria Jolliffe, barristers at 5rb chambers.
The underlying High Court decision that Morrisons was vicariously liable for the data leak stunned the supermarket, whose procedures, processes and systems were found to be solid enough that they dodged direct liability for the breach.
Under English law, vicarious liability refers to a situation where someone is held responsible for the actions or omissions of another person, and in the case of a business is indirectly responsible for the negligence of an employee.
The retailer was given short shrift by the Court of Appeal, which felt the case hinged on the vicarious liability angle, but Morrisons eventually found a path to defend itself again.
The supermarket’s defence is that there was not a sufficiently close connection between Skelton’s wrongful conduct and what he was employed to do in order to justify a ruling of vicarious liability.
Defending Morrisons, Lord Pannick QC, of Blackstone Chambers, said all that linked Skelton’s conduct to his employment “is that his criminal plan began at work”.
Pannick said the auditor accessed to the payroll data for “a specific and limited purpose” and “downloading the data onto his personal USB stick was well outside the scope of his job functions”.
The QC said electronic data is extremely susceptible to abuse, and “there are important limits on data controllers’ ability to safeguard data against employees’ misuse”, as the act of monitoring how data is used could involve interfering with privacy rights.
The claimants argue, however, that Skelton never stopped being a Morrisons employee even while he was the data controller of the stolen data.
“Is the owner of a motor vehicle liable for the damage caused by it by another party who may have stolen it?” said data security expert Tara Taubman-Bassirian, of consultancy DataRainbow. “This is a hugely complex matter that also calls for a rethink of data protection insurance.”
An extensive list of authorities imposing vicarious liability on innocent employers in a range of situations ranging from theft to sexual abuse was noted in court.
If the claim is ultimately successful, there will be a further hearing to consider the damages, lawyers said, which will address the central question of what damages should be awarded for the distress associated with a data breach where there is no other tangible loss.
“If the Court of Appeal’s decision stands it will likely pave the way for future data breach-related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable,” said Andrew Moir, head of Herbert Smith Freehills’ global cybersecurity practice.