Supreme Court data breach ruling will ‘come as a relief’ to pension schemes

The Supreme Court overturning a Court of Appeal ruling on a data breach case against Morrisons will “come as a relief” to pension schemes, according to Herbert Smith Freehills.

On 1 April 2020, the Supreme Court overturned the Court of Appeal’s decision in upholding the ruling of the High Court that the supermarket was vicariously liable for its former employee’s actions of sending data to third parties.

Commenting on the ruling, Herbert Smith Freehills stated: “The Supreme Court’s decision will likely result in a collective sigh of relief for organisations (including sponsors, administrators, pension schemes and pension providers) both in relation to their liability for employees’ actions generally and their potential liability for data breach class actions."

The former employee, who was a senior auditor in Morrisons’ internal audit team, was found guilty of stealing and unlawfully sharing the names, addresses, bank account, salary and national insurance details of almost 100,000 of his former colleagues with news outlets and data sharing websites.

He was given access to the personal data ahead of an annual external audit of the supermarket by KPMG as his task was to collate and transmit the data to KPMG.

The case, Morrisons Supermarkets Plc v Various Claimants, was brought about by 5,000 of the employees affected by the breach.

However, the Supreme Court ruled in favour of Morrisons as the former employee was pursuing his own objective, rather than the company’s, and it said the fact that his job provided him with the opportunity to commit a wrongful act does not make necessary make the company vicariously liable.

The court noted that, once Morrisons were made aware of the leak of the personal information, it took steps to ensure that the data was removed from the internet as well as informing the police and the affected employees.

Morrisons spent over £2m dealing with the aftermath of the data breach, a significant portion of which was spent on identity protection measures for its employees.

Herbert Smith Freehills added: “It is important to note that it does not close the door on data breach class action compensation as a whole. Organisations should still be examining the technical and organisational measures they have in place to prevent personal data breaches in order to reduce the risk of regulatory enforcement and class actions.”

    Share Story:

Recent Stories


Making pension engagement enjoyable through technology
Laura Blows speaks to Nick Hall, business development director and Chartered Financial Planner at UK-based Wealth Wizards about the opportunities that technology provides for increasing people’s engagement with pensions and increasing their retirement wealth. Please click here for an edited write-up of the video

ESG & DC – creating the right tools
In the latest of our series of Pensions Age video interviews Francesca Fabrizi, Editor in Chief of Pensions Age is joined by Manuela Sperandeo, Head of Sustainable Indexing EMEA, BlackRock and Mark Guirey, Executive Director, Asset Owner and Consultant Coverage - MSCI to discuss some key trends of ESG investing among UK pension funds today. Please click here for an edited write-up of the video

Savings and finance at retirement
Laura Blows is joined by Claire Felgate, Head of Global Consultant Relations, UK, at BlackRock, to discuss savings and finance at retirement. Please click here for an edited write-up of the video

Global sustainable credit
Laura Blows speaks to Royal London Asset Management senior fund manager, Rachid Semaoune, about global sustainable credit
Global equities and transition investing
Pensions Age editor, Laura Blows speaks to Royal London Asset Management equity investment director, Jonathan Price, about transitioning to sustainable investments within global equities

Advertisement Advertisement