Morrisons data breach case highlights wider reaching liabilities than just GDPR fines

Share This Post

A High Court judge has found Morrisons supermarket liable for a 2014 data leak where an employee leaked Morrisons staff payroll information. The employee was found guilty for the breach and is currently serving an 8 year prison sentence.

However, some of the employees impacted by the breach (i.e. their details were leaked) took the supermarket to court to claim damages for threat of identity theft and potential financial loss. Whilst Morrisons argued they couldn’t be held liable for the rogue behaviour of an employee, Justice Langstaff, found Morrisons vicariously liable (i.e. liable for the employee’s actions) because the actions of the employee were aimed at harming Morrisons directly:

“The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.”

This case comes at an interesting time when it comes to data protection compliance, what with the General Data Protection Regulation (GDPR) around the corner. There’s so much fear-mongering going on about the 4% of global turnover or €20m fines (that will probably never be that big anyway) that it’s often forgotten that under UK law there are a number of legal remedies including the potential for data subjects to sue for damages.

This Morrisons case is a land mark case in the UK as it’s the first case of this kind where an employer has been found liable for damages caused by an employee’s actions (rather than a “traditional” hack). It will be interesting to see how this pans out – Morrisons say they will be appealing – and whether this leads to further “victim” led cases; although the key with this case appears to be that it was because of the issue between the employee and employer that lead to the employee’s behaviour and hence the vicarious liability.

More To Explore


The key message from the ICO regarding the use of AI is not to forget if AI is processing personal data, then you need to

Read More »

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy