Category: Insurance case law · Reviewed by Jake Leat, Associate Director · Last reviewed June 2026
The Supreme Court held that an employer was not vicariously liable for a disgruntled employee’s deliberate unauthorised disclosure of co-workers’ payroll data, because the employee’s wrongful acts were not committed in the course of his employment but pursued a personal vendetta against his employer.
The defendant, Wm Morrisons Supermarkets plc, employed Andrew Skelton as a senior IT auditor at its head office in Bradford. In July 2013 Mr Skelton was disciplined for an unrelated incident; he received a formal verbal warning but harboured a grievance against the company. In November 2013 Mr Skelton, in the course of his employment, was tasked with collating payroll data for Morrisons’ external auditors KPMG. He copied the data — comprising the personal details, bank account numbers and salary information of approximately 99,998 Morrisons employees — onto a personal USB stick.
In January 2014 Mr Skelton, acting from home and using a personal computer, uploaded the entire payroll dataset to a publicly accessible file-sharing website. He also sent copies on CD-ROM, anonymously, to three United Kingdom newspapers. The newspapers did not publish the data and instead alerted Morrisons, which took the file-sharing site down within hours and notified affected employees, the police and the Information Commissioner’s Office. Mr Skelton was arrested, prosecuted, convicted of offences under the Computer Misuse Act 1990, the Fraud Act 2006 and section 55 of the Data Protection Act 1998, and sentenced to eight years’ imprisonment.
A group of 9,263 affected employees brought a representative group action against Morrisons under the Group Litigation Order procedure, claiming damages for breach of statutory duty under the Data Protection Act 1998, for the equitable wrong of breach of confidence, and for the tort of misuse of private information. The employees did not allege that Morrisons itself had directly committed any wrong; rather they argued that Morrisons was vicariously liable for the actions of Mr Skelton as its employee.
Langstaff J in the High Court held Morrisons vicariously liable, although he expressed concern that the decision rendered Morrisons the secondary victim of a criminal vendetta directed against it. The Court of Appeal dismissed Morrisons’ appeal. Morrisons appealed to the Supreme Court.
Two main issues fell for determination. The first was whether the close connection test for vicarious liability — that an employer is liable for an employee’s wrongful conduct where there is a sufficiently close connection between the wrongful acts and the acts the employee was authorised to do — was satisfied in circumstances where the employee had been authorised by his employer to handle the very data he later misused, but where the disclosure itself was effected outside working hours, from a personal computer, in pursuit of a personal vendetta against the employer. The Court of Appeal had held that the close connection test was satisfied because the unbroken chain of events began with Mr Skelton being given access to the data in the course of his employment.
The second issue was whether the Data Protection Act 1998 excluded the operation of vicarious liability altogether in respect of breaches of its provisions, breach of confidence and misuse of private information committed by an employee. Morrisons argued that the Act provided a complete code for data controller liability that left no room for vicarious liability for the acts of an employee who had stepped outside the controller’s instructions and become a data controller in his own right.
The Supreme Court (Lord Reed giving the leading judgment, with whom Lord Hodge, Lady Black, Lord Lloyd-Jones and Lord Kitchin agreed) allowed Morrisons’ appeal.
On the first issue, the court held that the lower courts had misapplied the close connection test as articulated in Mohamud v Wm Morrison Supermarkets plc and the earlier authorities. The fact that Mr Skelton had been authorised to handle the payroll data in the course of his employment was not sufficient to make Morrisons vicariously liable for the subsequent unauthorised disclosure he committed at home from a personal computer in pursuit of a personal grudge against his employer. The wrongful disclosure was not part of Mr Skelton’s “field of activities” or in any real sense an act done in the course of his employment; it was a personal act of vengeance against his employer. The motive of the employee — pursuing a personal vendetta against the employer — was a relevant consideration, and pointed clearly against the existence of vicarious liability.
On the second issue, the court held that the Data Protection Act 1998 did not exclude vicarious liability in principle for breach of its provisions or for misuse of private information or breach of confidence. Vicarious liability remained an available basis on which an employer could be held liable for an employee’s data breach — but the principles governing when such liability arose were the ordinary principles of vicarious liability at common law, which Mr Skelton’s conduct in this case did not engage.
The decision establishes two propositions. First, the close connection test for vicarious liability requires more than the existence of an unbroken causal chain between authorised activities and a wrongful act; the wrongful act must be so closely connected with what the employee was authorised to do that it can fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment. Where an employee acts from a personal motive of vengeance against his employer, that strongly indicates that the wrongful act falls outside the course of employment. Second, while the Data Protection Act 1998 (and by extension the UK GDPR / Data Protection Act 2018 regime) does not exclude vicarious liability in principle, that liability arises only where the ordinary common law test is satisfied. The Morrisons employees’ group action accordingly failed against Morrisons, leaving them with claims only against the convicted employee personally.
Various Claimants v Wm Morrisons is a foundational decision for cyber and data liability insurance underwriting and broker advice in the United Kingdom. Prior to the Supreme Court’s decision the prospect of employer vicarious liability for “rogue employee” data breaches was real and was being priced into cyber and data liability cover. The decision substantially narrows that exposure but does not eliminate it; brokers and insurers should be alert to the distinctions on which the case turned.
For cyber insurance underwriting and broker advice the case has several implications. First, the decision confirms that the prospect of employer liability for a malicious insider breach remains live where the employee acts to further (or with ostensible benefit to) the employer’s business — only where, as in Morrisons, the conduct is a personal vendetta directed at the employer will vicarious liability fail. Insureds with high concentrations of personal data and high-trust roles handling that data continue to require cover. Second, the decision underlines the importance of segregation of duties, access controls, monitoring and offboarding procedures: from an underwriting perspective, the existence of robust insider-threat controls reduces both the frequency of incidents and the regulatory exposure that may follow. Third, the decision draws attention to the fact that, where vicarious liability is unavailable, claimants may seek to argue direct fault on the part of the employer — that the controls in place were inadequate and that the employer was directly negligent or in direct breach of its data protection obligations. Brokers should review the scope of “first-party” elements of cyber cover (incident response, regulatory defence, monetary penalty cover where insurable, notification costs) alongside “third-party” liability cover.
The decision should also be read alongside Lloyd v Google LLC and Stadler v Currys Group Ltd, which together substantially restrict the routes by which large-scale claimant litigation can proceed for low-value data breach harm.
By Matt Bartlett, Director, on 2026-06-06. Next review: 2026-12-06.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-06. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
SEO meta: - Title: Various Claimants v Wm Morrisons Supermarkets plc [2020] UKSC 12 | UK Insurance Wiki | Apex Insurance Brokers - Slug: /wiki/cases/various-claimants-v-wm-morrisons/ - Schema: Article + LegalCase + BreadcrumbList
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote