Call for a free 15 minute consultation 0330 221 0684

Blog Arrow Employment Law

Should an employer be held responsible for an employee’s data breach?

Calendar June 12, 2020

Following a Court of Appeal decision in WM Morrisons Supermarkets Plc v Various claimants, the employer’s vicarious liability has been expanded to include the staff’s deliberate data leak. Consequently, employers considered taking the ‘appropriate insurance’ to cover their potential liability. On April 2020, the Supreme Court reversed this decision. You can read a summary below.

Overview of the facts

Andrew Skelton (‘AS’) was a senior IT auditor in Morrisons Supermarkets Plc (‘Morrisons’) internal audit team. While working for Morrisons, AS ran a side business of selling weight-loss drugs. Although not disclosed to Morrisons, his side-line business did not conflict with his main employment. On several occasions, AS made use of the workplace’s post room to send parcels to his customers. He paid the appropriate postage and he let his employer know. On 20th May 2013, an incident occurs as an envelope containing white powder broke open in the postage room. Police were called and AS was arrested under suspicion of selling illegal drugs. The laboratory analysis made it clear that the drug was not illegal, but AS faced a disciplinary hearing and received a verbal warning.
AS started nursing grudge toward Morrisons and over a period of months designed and prepared his revenge plan. AS copied the payroll data of almost 100,000 fellow employees at Morrison into a personal USB. As preparatory steps, he used special software to hide the identity of his computer and set up an email account linked to a pay-as-you-go mobile phone. AS went even further and tried to frame a fellow employee, using his date of birth and username to create the email account. When Morrisons was about to announce its annual financial reports, AS posted on the internet the personal data and payrolls of Morrisons employees. Further, acting as allegedly a ‘concerned person’, AS informed two of the local newspapers of the leak the data. Luckily, the newspapers did not publish the information and alerted Morrisons who took steps to ensure that the information has been taken down. Morrisons called the police and AS was arrested and later convicted to eight years imprisonment.

Court decision

Affected by the breach of data, the employees started proceedings against Morrisons for alleged ’distress, anxiety, upset and damage’. The claims alleged misuse of information and confidence, in breach of statutory duty of section 4(4) of the Data Protection Act 1998 (DPA), replaced now by Data Protection Act 2018 (‘DPA 18’). The claimants sought damaged on the basis that Morrisons is primarily liable or vicariously liable for AS’s wrongs. The High Court rejected Morrisons’ primary liability but held that the employer is vicariously liable for the AS’s wrongful conduct. Morrisons appealed the decision, but the Court of Appeal upheld the High Court’s decision and dismissed the appeal. Morrisons appealed to the Supreme Court and on 1st April 2020, the Supreme Court overturned previous decisions.
The key legal principle based on which the Supreme Court based its decision is whether AS disclosure was ‘so closely connected with acts he was authorised to do’. The Supreme court concluded that the close connection test has not been satisfied and it cannot be argued that AS’s acts were done ‘in the ordinary course of his employment’. AS was pursuing a ’ personal vendetta’ and the mere fact that Morrisons gave him the opportunity to commit the wrongful act ‘would not be sufficient to warrant vicarious liability’
It is also noteworthy that, on Morrisons’ allegations that, under DPA 1998, liability can be imposed only on data controllers, namely on AS, the Supreme Court took the view that the employer vicarious liability is consistent both with breaches of duties under the DPA or arising under common law.


This caselaw is of particular interest for the employers as they will not suffer consequences for deliberate wrongdoings of their employees. Although a welcome reassurance for employers, this judgement should be read by reference to the facts considered in the case. For example, Morrisons were able to prove that they put in place substantial security systems for processing personal data and acted expeditiously in limiting the damages caused by the data leak.

Contact us

If you believe you are in data breach situation or any other employment dispute, please contact our team of employment specialists today


Do you need help? Request a consultation now.

KLG are always here to help. To arrange a free 15 minute introductory consultation call, where we can identify your needs and show you how we can support your business or you as an individual. Please complete our form.