UK Supreme Court rules that Morrisons can't be held responsible for 2014 data breach

The company was facing compensation claims from thousands of former and current employees over the security incident

The UK's Supreme Court ruled on Wednesday that British supermarket group Wm Morrisons cannot be held liable for 2014 data breach in which a former employee posted personal details of over 100,000 staff members on internet.

Morrissons' victory in the Supreme Court marks the end of the Britain's first data leak class action case, in which the grocery firm faced compensation claims from thousands of former and current employees over the security incident.

In 2017, London's High Court had held Morrisons responsible for the publication of the employees' data by Andrew Skelton, former IT auditor at the company, who was later convicted for his wrongdoings and sentenced to an eight-year jail term.

In November 2013, Morrisons was given the responsibility to send payroll data of the company's entire workforce to external auditors, in the same way as he had previously done in 2012.

While Skelton did send all data to auditors, he also saved a personal copy of those details. The next year, he uploaded all the data on a website and also sent it anonymously to three UK newspapers.

After the company learned about the data breach, it immediately took steps to remove employees' information from internet and also alerted law enforcement.

A large number of affected employees of the company later filed a lawsuit against the supermarket group, accusing it of breaching its statutory duty under the Data Protection Act, misusing private details of employees, and also breaching the confidence of workers.

Following High Court's decision, Morrisons appealed to the Court of Appeal, which also backed High Court's ruling in 2018.

Morrisons then brought the case to the Supreme Court, which has now overturned the previous ruling given by the High Court.

"The circumstances in which Skelton committed wrongs against the claimants were not such as to result in the imposition of vicarious liability upon his employer," Supreme Court judge Robert Reed said in a written judgement.

The judge said that an employer can't be held vicariously liable where the employee was not engaged in expanding his employer's business. In Morrisons case, the employee was actually pursuing a personal vendetta and trying to harm his employer.

Morrisons said in a statement that it was pleased with the ruling given by the Supreme Court.

"We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged," the company said.

"In fact, we've seen absolutely no evidence of anyone suffering any direct financial loss," it added.