Morrisons has won an appeal at the Supreme Court over a ruling it was liable for a data breach that saw the private details of nearly 100,000 employees posted online.
The supermarket giant launched a challenge after a Court of Appeal ruling in October left it facing a massive compensation payout from the UK’s first data leak class action case.
The case concerned a security breach in 2014 when Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of nearly 100,000 employees - including their names, addresses, bank account details and salaries - by putting it online and sending it to newspapers.
Skelton, who was subsequently jailed for eight years, had been sacked for dealing in legal highs while at the company.
Today’s decision by the Supreme Court overturns previous judgments, which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the web.
A panel of five justices unanimously ruled Morrisons was not “vicariously liable” for the actions of Skelton.
Announcing the decision via video link, the court’s president Lord Reed said Skelton leaked the data because of a “grudge” after he was given a verbal warning following disciplinary proceedings.
The judge said employers could only be held liable for the actions of employees if they were “closely connected” with their duties at work.
He said: “In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question.
“On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier.
“In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”
In a statement Morrisons said: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.
“We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail. “A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft. We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.”