On 22 October 2018, the UK Court of Appeal ruled, in WM Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2339, that employers can be sued for data breach damage or distress caused by a rogue employee, even if the employer was not at fault and had not breached UK data protection law.


The Court of Appeal’s ruling related to an appeal by WM Morrison Supermarkets PLC (“Morrisons”) against last year’s High Court ruling in Various Claimants v WM Morrison Supermarkets PLC [2017] EWHC 3113.

The facts of the case can be summarised as follows. In January 2014, a Morrisons’ employee unlawfully uploaded payroll data relating to 99,998 employees to a file sharing website. In March 2014, he sent the information anonymously to three UK newspapers on CDs with a link to the file website, in an effort to increase its distribution. The employee did all of this because he harboured a grudge against Morrisons for a minor disciplinary matter, and knew the data breach and publicity around it would harm the supermarket.

One of the newspapers alerted Morrisons, which acted quickly to ensure the website was taken down. Morrisons also alerted the police, who investigated and subsequently arrested a Senior IT Auditor called Andrew Skelton. Mr Skelton was charged and convicted of various offences and imprisoned for 8 years. 

It transpired that Mr Skelton obtained the payroll data during an external audit by KPMG. As part of that audit KPMG asked for the payroll. Mr Skelton obtained this from Morrisons’ HR department on a USB stick and, in addition to making a copy for KPMG, he made one for himself. He then uploaded this information onto a file sharing website.


Following publication of the breach, 5,518 employees brought a group claim against Morrisons, alleging it had breached the UK Data Protection Act 1998 (“DPA”). The claimants argued Morrisons was liable as a data controller for breaching the principles of the DPA (including by failing to ensure that ‘appropriate technical and organisational measures’ were taken to protect their personal data). They also argued that, even if Morrisons was not directly at fault as a data controller, it was vicariously liable as Mr Skelton’s employer.

The case was decided by the High Court in December 2017, which held that:

  • – Morrisons had not breached the DPA, except in so far as it should have checked the payroll data were deleted by Mr Skelton after it was shared with KPMG (though Morrisons was not liable for this failure, as the claimants’ damage occurred well before such checks would have been required); and
  • – even though Morrisons was not directly liable under the DPA (or under the English common law wrongs of breach of confidence or misuse of private information), it was vicariously liable as Mr Skelton’s employer.

The vicarious liability of employers is an English common law concept that allows the employer to be held liable for unlawful actions of its employees carried out during the course of their employment (for example, if a delivery driver hits a pedestrian while on delivery rounds). In this case, the High Court held that, even though Mr Skelton was acting on his own account as an independent data controller, because Morrisons deliberately entrusted him with the employee information and Mr Skelton was acting in the course of employment, Morrisons was vicariously liable for his breaches of the DPA.  

As Mr Skelton was a data controller in his own right, the employees could have sued him personally instead. However, a claim against an employer which is properly insured, or has ‘deep pockets’ (significant assets) with which to pay compensation, is a much more attractive course of action, particularly where it involves a significant sum of money and/or a large number of individuals.


The Court of Appeal has now rejected Morrisons appeal, thereby confirming that employers can be liable to individuals harmed in personal data breaches caused by rogue employees, even if the breach is the result of an intentional criminal act which could not have reasonably been foreseen or prevented.

Although the case related to a breach under the Data Protection Act 1998, it seems likely that the result would be the same if the breach had occurred under the General Data Protection Regulation 2016/679 (“GDPR”) and the Data Protection Act 2018.

The ruling will be unwelcome news for employers, as the rogue employee threat is very a real one and it is difficult to guard against. Employees will inevitably have access to personal data (and possibly sensitive personal data) about staff, customers and business contacts. The increase in BYOD and remote working, together with the massive data storage capacity of portable media, also create enormous risks.

It remains to be seen whether the Morrisons decision will ‘open the floodgates’ to similar group claims, and it should be kept in mind that most data breaches are not the result of criminal acts by employees. Furthermore, Morrisons plans to appeal the decision to the UK Supreme Court, which could overturn both the Court of Appeal and High Court rulings.

However, for now the law is clear. Employers can be liable for data breaches caused by rogue employees, even if the employer had done all it could to keep the personal data safe and the actions of the employee could not reasonably have been foreseen or prevented. 

The question remains, what should employers do to protect themselves? Employers should foster a data protection culture within their organisation and emphasise the consequences of criminal actions in their data protection policies and training (using the example of Mr Skelton’s 8-year prison sentence). 

The Court of Appeal also suggested employers protect themselves through insurance, stating: 

the solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments 

Of course, simply having an insurance policy in place is not enough. Employers also need to make sure they avoid primary liability and do not invalidate insurance policies by ensuring that they themselves have complied with GDPR and the Data Protection Act 2018.

Note: The contents of this update are provided as at 30 October 2018 for information purposes only and do not constitute legal advice on specific circumstances. 

If you have questions about the GDPR, Data Protection Act 2018, or e-Privacy matters please contact our Data Regulatory team