In a recent case, Morrisons, the fourth largest supermarket in the UK, was found vicariously liable for a malicious data breach carried out by an employee with a grudge against his employer. The case gives a sharp reminder that when it comes to data, protection, preparation and awareness are paramount.

In 2014, the senior IT auditor, Andrew Skelton, copied the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details) onto a personal USB device. It had been copied from the secure software in which it was held onto an encrypted memory stick by an authorised employee in HR, and then uploaded to the encrypted laptop of Mr. Skelton, for the purposes of supplying it to their external auditor. Once on the laptop it was further encrypted, transferred onto a memory stick provided by KPMG, and sent on as planned.

Unbeknown to Morrisons, before the data was deleted from the laptop, Mr. Skelton had copied the data. Earlier in the year Skelton had been subject to disciplinary proceedings, which apparently led him to harbour a grudge against the supermarket and set him on a path to cause it significant harm.

He did so by posting the payroll data online on a public file-sharing website, tipping off the press and attempting to implicate an innocent colleague. Once the press made Morrisons aware of the breach, the supermarket acted swiftly to get the website hosting the data taken down. It also liaised promptly with banks and the police.

In 2015 Skelton was jailed for eight years after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.

However, unfortunately for Morrisons, it did not stop there. In Various Claimants v WM Morrisons Supermarket [2017], 5,500 affected employees brought claims against Morrisons in the High Court, alleging breaches of the Data Protection Act 1998 (DPA). Despite its swift action on discovering the breach, Morrisons was, on 1 December 2017, found to be vicariously liable for Mr. Skelton’s actions and will likely be ordered to pay damages to the employees. The High Court hearing, sitting in Leeds, found Morrisons was not directly liable for breaches under the DPA. It concluded that, when the data had been copied by Skelton and leaked, Morrisons was not the data controller (Mr. Skelton was), so primary liability did not rest with Morrisons.

However, although Morrisons itself had not caused the data breach, the court was prepared to hold Morrisons vicariously liable for the unlawful acts of Mr. Skelton. It is well established that employers can be liable for the wrongful act of an employee if it is carried out in the course of an employee’s employment.

This is an opportunity for a detailed review and an examination of the detail of the standards of care and conduct expected from employees. In light of the stricter obligations coming into effect on 25 May 2018, employers must ensure that they are not only prepared as a company, but their employees are also ready. Training for employees is key. Having a proper procedure in place for any data breach is even more important.

For further information, please contact Koichiro Nakada – Head of Japan Business Group ( and Yoko Nakada - Senior Associate, Deputy Head of Japan Business Group (
The information and any commentary on the law contained in this bulletin is provided free of charge for information purposes only. No responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed by Lewis Silkin LLP or Centre People Appointments. The information and commentary does not, and is not intended to, amount to legal advice and is not intended to be relied upon. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter and not rely on the information or comments in this bulletin.

This information is supplied by Lewis Silkin LLP www.lewissilkin.comm

Article top