emiliau - Fotolia

Morrisons not liable for 2014 data breach, says Supreme Court

Court allows supermarket chain’s appeal against judgments holding it liable for a 2014 insider data breach, saying previous rulings misunderstood the concept of vicarious liability

Supermarket chain Morrisons has succeeded in its appeal to the Supreme Court against judgments that held it liable for an insider data breach caused by a disgruntled employee.

The breach occurred in 2014 when payroll data on thousands of Morrisons employees was leaked on a file-sharing website by Andrew Skelton, a member of its internal audit team.

A number of the affected employees subsequently brought proceedings against Morrisons personally and on the basis of what is termed vicarious liability for the acts of the employee.

Their lawsuit made claims for breach of statutory duty under the Data Protection Act (DPA) of 1988, misuse of private information and breach of confidence, and although at trial a High Court judge agreed that Morrisons was not primarily responsible, it was vicariously responsible because Skelton had acted in the course of his employment.

Morrisons lost an appeal against this judgment, but subsequently received permission to take the case to the Supreme Court.

In its unanimous judgment, the Supreme Court said previous judgments had fundamentally misunderstood the principles governing vicarious liability in a number of ways, most notably because disclosing the data online did not fall under Skelton’s “field of activities”, and that it was highly material if Skelton was acting under instruction from Morrisons or for personal reasons.

Because Skelton was authorised to be in possession of the data and to send it to Morrisons’ external auditors, the fact that he then leaked it was not so closely connected with that task that it could fairly be seen as carried out in the course of his duties, and the fact that he was able to do so was not sufficient to warrant the imposition of vicarious liability – that is to say, a company cannot really be liable for a personal vendetta against it.

A spokesperson for Morrisons said: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.

“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he has been found guilty of this crime and spent time in jail. A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft.

“We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.”

Read more about insider threat

  • Dealing with the human element in security is tough, but critical. This primer describes the types of insider threats and how to use a risk matrix to assess and rank them by importance.
  • Insider threat programmes may backfire if employees feel they are intrusive and violate privacy, Forrester Research warns. Making sure these programmes don’t go too far should fall to HR.
  • The risk of insider threat does not discriminate across industry lines. Learn how to build an insider threat management programme that combines AI, zero-trust principles and a healthy security culture.

James Seadon, a cyber security expert and IP and technology partner at law firm Fieldfisher, said: “The Supreme Court’s decision will be welcomed by employers in clarifying the scope of their vicarious liability for the acts of employees when it comes to data breaches.

“Nonetheless, although this may be seen to have relaxed the view of the Court of Appeal, it is critical – particularly in the fortified regulatory environment of GDPR [General Data Protection Regulation] and the DPA [Data Protection Act] 2018 – that businesses remain vigilant as to these risks. Relying on legal argument alone will not address the menace of data breaches. 

“Employers continue to assess the technical and organisational measures they have in place to protect personal and other data. These might include locking down USB ports, preventing access to unauthorised webmail and filesharing sites and adding access controls to key information, as well as ensuring that such policing does not tip the scales when it comes to privacy and that appropriate policies are in place to support the chosen approach. 

“Similarly, this litigation and the interest in it has demonstrated the power of collective actions in the wake of data breaches.  It is already clear that this is a growing area of law and we expect that trend to continue.”

The Supreme Court’s full judgment and reasoning can be read here.

How the breach unfolded

In July 2013, while Andrew Skelton was working as a senior auditor in Morrisons’ internal audit team, he was subject to disciplinary proceedings over a relatively minor misconduct and received a verbal warning. He was angered by this and became set on revenge.

In the course of his duties, Skelton was assigned to collate and transmit the firm’s payroll data to Morrisons’ external auditors, KPMG, and to do so, he was given access to the payroll data of the firm’s 126,000 employees. This included names, addresses, gender, birthdates, phone numbers, national insurance numbers, bank details and salaries.

On 9 October 2013, Skelton searched for and downloaded the Tor browser to his work computer. On 7 November, he made an internal request for the payroll data. On 14 November, he acquired a pay-as-you-go “burner” phone and on 15 November, he received the requested data. As per his duties, the data was transmitted to KPMG, but on 18 November, he secretly copied it from his work laptop onto a USB drive.

A few weeks later, on 8 December, Skelton used the username and birthdate of a fellow employee, Andrew Kenyon – who had also been involved in the disciplinary proceedings – to create a fake email account linked to the burner phone. He then deleted the data from his laptop.

On 12 January 2014, Skelton uploaded a file containing data on 98,998 Morrisons employees to a publicly accessible file-sharing website and posted links to it on other forums. After this, he deactivated the fake email account and, on 12 March, deleted the data files from the USB drive.

On 13 March, the day of the supermarket’s financial results announcement, Skelton posed as a concerned member of the public and sent CDs containing the files to three UK newspapers, claiming he had found them on the file-sharing site. None of the newspapers published any of the data, but Morrisons was alerted within hours.

The firm responded quickly to remove the data from the internet, started an internal investigation and informed law enforcement, as well as taking measures to protect the identities and data of the affected employees. Skelton was arrested a few days later and was sentenced to eight years in prison in 2015.

Morrisons estimates that it spent more than £2.26m in dealing with the immediate aftermath of the breach, most of this on identity protection services for its staff.

Read more on Data breach incident management and recovery