Not our fault. Supermarket tells Supreme Court it was not liable for 2014 hack of staff payroll data
Supermarket chain Morrisons has this week told the Supreme Court in London that it is not liable for a data breach way back in 2014.
The case centres around a damaging data breach in 2014, when disgruntled internal auditor Andrew Skelton posted online personal details of staff that included salary data.
Skelton was jailed for eight years in 2015 for obtaining the names, addresses, bank account details and salaries of roughly 100,000 employees and posting them online.
He is due to be released from prison in January.
Skelton also sent the data to a number of newspapers who then alerted the supermarket.
But the supermarket has consistently argued that it is not responsible for the actions of a rogue employee, and has taken the case right up to the Supreme Court.
“In relation to vicarious liability, we say the legal test is whether there is a sufficiently close connection between the wrongful conduct of the employee and what he was employed to do, assessed by ref to job function, time, when did he carry out the acts, the geography, where did he carry out the acts and motive,” Lord Pannick QC, working on behalf of Morrisons, was quoted as saying by the Register.
“It’s not sufficient for the claimants to show that the employment provided the opportunity for the wrongdoing,” Lord Pannick reportedly said.
“When Mr Skelton downloaded the data onto his personal USB he had metaphorically taken off his uniform,” said Lord Pannick. “He wasn’t acting or purporting to act on behalf of his employer or for the purpose of his employment.
Liable or not?
Essentially, the case comes down to a simple question. Was former Morrisons auditor Andrew Skelton acting “in the course of his employment” when he copied nearly 100,000 people’s payroll data to a USB stick and dumped it on a hidden Tor site?
It be noted that Morrisons wasn’t the only British supermarket to suffer a data breach in 2014.
That same year thousands of online Tesco customers had to have their accounts deactivated after user details were leaked and posted online.
Do you know all about security? Try our quiz!