Morrisons Data Breach

We highlighted this case as one to watch at our recent Employment Law Update seminars and now a decision has been reached by the Court of Appeal in the WM Morrison Supermarkets plc v Various Claimants case where there was a significant data breach due to a rogue employee. We previously reported on this case here.

The High Court decided that Morrison’s was vicariously liable and the case was taken to the Court of Appeal.

The Court of Appeal has upheld the decision of the High Court that Morrisons was vicariously liable for the actions of an employee, Mr Skelton, who disclosed the personal information (including names, addresses, salaries and bank details) of around 100,000 colleagues on the internet. It decided that there was a sufficiently close connection between the employment of Mr Skelton and his wrongful conduct for Morrisons to be liable. It agreed with the High Court that there was a continuous sequence of events that linked his employment to the disclosure – Mr Skelton was an employee when he received the data and when he chose to disclose the data it closely related to what he had been tasked to do i.e. to receive and store the information, and then disclose it to a third party. That Mr Skelton made the disclosures from home using personal equipment and on one a non-working day did not disengage the wrongful act from his employment.

Morrisons maintain that it should not be held liable for the criminal misuse of its data and have been given permission to take their fight to the Supreme Court.


This case highlights an increased risk of employers being found vicariously liable for the actions of their employees, even where there is a fairly tenuous link to employment. It isn’t the first time Morrisons has been on the losing side of a tenuous vicarious liability claim either – having previously been found liable when a petrol forecourt attendant physically assaulted a customer.

As a reminder, if a sufficiently close connection is found between an employee’s role and their conduct then an employer can be vicariously liable. There appears to be a current willingness by the courts to find a connection where once it might have been more difficult for claimants to succeed.

Following the implementation of the GDPR and Data Protection Act 2018, this case also serves as a warning to organisations to safeguard personal data and have robust organisational and technical procedures in place to prevent data falling into the wrong hands, whether it be by accident, theft or rogue employees…..

If you have any queries in relation to data protection or any other HR queries, please contact the employment team on 01228 552600 or 01524 548494.

Email Alerts

Baines Wilson LLP send our clients and contacts legal updates by way of short email alerts. If you would like to receive our regular alerts, please follow the link below.

Sign up for Alerts

Awards & Accreditations

  • Lexcel
  • Chambers UK
  • Chambers UK
  • Supply Chain
  • Cyber Essentials