Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Data protectionLatest NewsConfidentialityComputer misusePayroll

Morrisons payroll data breach judgment a ‘wake-up call’ for business

by Rob Moss 22 Oct 2018
by Rob Moss 22 Oct 2018 Dimitris Legakis / REX / Shutterstock
Dimitris Legakis / REX / Shutterstock

The Court of Appeal has upheld the judgment finding Morrisons vicariously liable for the leak of payroll data by a disgruntled employee, but the supermarket says it will take the case to the Supreme Court.

Legal commentators have said that employers will be panicking in light of today’s “bewildering” judgment. Morrisons said it will appeal to the Supreme Court.

In 2014 Andrew Skelton, an internal auditor at Morrisons posted the names, addresses, bank account details, national insurance numbers and salaries of more than 100,000 employees online. At his criminal trial, he was jailed for eight years.

Last year the High Court ruled that the supermarket was vicariously liable for the data breach and that employees should receive compensation. More than 5,500 claimants are seeking a payout in the case, although there has been no indication that anyone has suffered financially from the leak.

Data protection

Morrisons case: employers’ responsibilities in preventing malicious data leaks

Morrisons data breach sounds warning on vicarious liability

Nick McAleenan, partner at JMW Solicitors, which is representing the claimants, said: “[Employees] were obliged to hand over sensitive personal information and had every right to expect it to remain confidential, but a copy was made and it was uploaded to the internet and they were put at risk of fraud, identity theft and a host of other problems. Unsurprisingly, this caused a huge amount of worry, stress and inconvenience.

“The claimants are obviously delighted with the Court of Appeal’s ruling. The judges unanimously and robustly dismissed Morrisons’ legal arguments.”

He added that the judgment was a “wake-up call” for business. “People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information – it’s about protecting people”.

But Susan Hall, intellectual property lawyer at Clarke Willmott, said: “This is a bewildering judgment. The first instance decision was in many respects shocking, with the judge himself acknowledging that Morrisons had done nothing wrong…

“The verdict in the High Court effectively achieved the former employee’s purpose of punishing Morrisons by making them liable for potentially millions of pounds in compensation, through no fault of their own. That it has been upheld by the Court of Appeal will have employers up and down the country panicking as there is very little they can do to guard against a similar situation.”

A Morrisons spokesman said: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of [a] former employee, even though his criminal actions were targeted at the company and our colleagues.

This is a bewildering judgment. The first instance decision was in many respects shocking, with the judge himself acknowledging that Morrisons had done nothing wrong” – Susan Hall, Clarke Willmott

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”

In dismissing the case at the Court of Appeal appeal today, three senior judges said they found Morrisons’ arguments “unconvincing”.

Their judgment read: “Mr Skelton’s nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.”

They acknowledged that corporate system failures or employees’ negligence might lead to a large number of claims against a company for “potentially ruinous amounts” but said that the solution is to insure against such catastrophes.

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

In last year’s High Court decision, the judge acknowledged that his judgement “may seem to render the court an accessory in furthering [Mr Skelton’s] criminal aims.”

Oz Alashe, CEO of cybersecurity training platform CybSafe said: “It is hard to see what Morrisons could have realistically done to prevent this situation from arising. Nevertheless, the message from today’s ruling is clear: even when a company is the victim of criminal activity from within its own organisation, ultimate responsibility for keeping personal data secure rests on its shoulders.”

Morrisons
Rob Moss

Rob Moss is a business journalist with more than 25 years' experience. He has been editor of Personnel Today since 2010. He joined the publication in 2006 as online editor of the award-winning website. Rob specialises in labour market economics, gender diversity and family-friendly working. He has hosted hundreds of webinar and podcasts. Before writing about HR and employment he ran news and feature desks on publications serving the global optical and eyewear market, the UK electrical industry, and energy markets in Asia and the Middle East.

previous post
Directors must pay £2m in landmark whistleblowing case
next post
Employers need support around whistleblowing argues charity

5 comments

Lee palmer 22 Oct 2018 - 9:04 pm

Morrisons did not provide protection for the colleagues before or after, this is a false statement, they gave everyone 6 months Experian credit check for free, this only says if someone has tried to get a loan or credit in your name, does not actually prevent loss

Lee palmer 22 Oct 2018 - 9:11 pm

We were told to change our bank accounts and offered 6 months free Experian credit, so they DID NOT protect us before or after the situation, as this would only inform us if someone has already taken out credit in our names

Ben 22 Oct 2018 - 10:36 pm

This is an utterly ridiculous judgement from a legal system designed to make work for itself. It will have terrible implications and brings the whole legal system into disrepute.
How can employers be liable for something they cannot protect against. To say “buy insurance” is the language of someone with a very low iq.

Laurence 23 Oct 2018 - 2:49 pm

Donald Trump is commenting on Personnel Today articles now^

Chris 24 Oct 2018 - 11:24 am

Not really – the court is following the well established rules for defining vicarious liability (prove there is a relationship between the two parties and that the actions of one of the parties could reasonably be part of their duties) – Skelton was employed by Morrisons (relationship) and he was an internal auditor, so it was reasonable for him to have access to this data (reasonable use). His actions were criminal, but the liability is vicarious.

Morrisons successfully defended a case a few years back on the same principle – where an employee assaulted a member of the public – they argued that his actions were not reasonably part of his job and the court agreed.

Comments are closed.

You may also like

New law could make it easier for organisations...

8 Apr 2024

Employer found liable for sexual misconduct at party

31 May 2023

Worker injured in practical joke cannot take vicarious...

22 Sep 2022

Tarmac not liable for injury resulting from ‘horseplay’,...

12 Jan 2022

Seven key employment law cases from 2020

17 Dec 2020

How Covid-19 has added to ‘insider threat’ risks

7 Jul 2020

Barclays not liable for sexual assaults committed by...

2 Apr 2020

Six employment law cases that will shape 2020

14 Jan 2020

Supreme Court hears final Barclays appeal in sexual...

28 Nov 2019

Morrisons’ vicarious liability appeal reaches Supreme Court

6 Nov 2019

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+