Morrisons ‘not liable’ for actions of rogue employee over data breach

Data Breach | Griffiths & Armour

On the 1st April 2020, The Supreme Court overturned the case of WM Morrisons Supermarkets PLC v Various Claimants. This case has significance for all businesses and that has wide ranging implications for vicarious liability and data protection. 


In July 2013, Andrew Skelton, a senior internal auditor at Morrisons Supermarket, was involved in disciplinary proceedings relating to minor misconduct. After receiving a verbal warning, he developed irrational animosity towards his employee. 

Later in November 2013, Mr Skelton was tasked with transmitting payroll data for Morrisons’ entire workforce to its external auditors, as he had done the previous year. He did so, but he also made and kept a personal copy of the data. 

In early 2014, Mr Skelton uploaded a file, containing 98,998 employees’ details to a public file-sharing website and also sent it to three UK newspapers. Following investigations, Mr Skelton was arrested and convicted. In 2015, he was convicted and sentenced to eight years’ imprisonment. 

Claims were subsequently brought against Morrisons by over 9,200 employees for breach of statutory duty under the Data Protection Act, misuse of private information, and breach of confidence. 

A trial and subsequent Court of Appeal hearing both concluded that Morrisons bore no primary responsibility but was vicariously liable and should pay damages. The supermarket chain then appealed to the Supreme Court. 

The Supreme Court Decision 

The Supreme Court considered whether there was a close connection between the activities the employee was authorised to do and his wrongful action in copying and uploading the data. 

They concluded that it was ‘highly material’ that Mr Skelton was acting for purely personal reasons, here pursuing a vendetta against Morrisons. Furthermore, the wrongful conduct was not so closely connected with acts that he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment. 

This result comes as a huge relief to Morrisons and indeed any large employer who fears the possibility of an employee, trusted with access to large amounts of personal data, going rogue. 

The judgments, whilst not changing the tests applied in vicarious liability cases, indicate that the range of cases in which businesses may be responsible for the actions of employees or contractors continues to have boundaries. 

Cyber Insurance 

Cases like this one highlight the costs to businesses of such actions by rogue employees. Morrisons had reportedly spent around £2.3m in dealing with the fallout of the disclosure, most of this on identity protection measures for its employees. 

If the Supreme Court had rejected Morrisons’ appeal, there would have been thousands of claims for compensation to pay or settle. 

A comprehensive Cyber Insurance policy would support with these costs and provide the business with access to a dedicated panel of experts, from PR professionals and forensic IT technicians to legal support. 

Knowing how much insurance to purchase can be extremely difficult to judge, which is why, at Griffiths & Armour, we undertake comprehensive Cyber Audits for our clients. These audits consist of 166 questions that qualify and quantify the risk exposures. Armed with this information we can work alongside our clients to advise on the most appropriate cover and limits of indemnity aligned to their needs and objectives. 

If you would like more information on guidance on managing cyber risks or risk management in general, send a message using the enquiry link below and member of our risk management team will be in touch.