• IE
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK

The Morrisons Data Breach Case – a Private Prosecution Perspective

04 June 2020
Private Prosecutions are becoming an increasingly important tool for organisations wanting to protect their workforce and take action to protect themselves from rogue employees, this article highlights why.
On 1 April 2020, in a landmark decision, the Supreme Court ruled that WM Morrisons Supermarkets Plc ("Morrisons") was not vicariously liable for a large scale data leak by a former employee which affected 100,000 members of staff.

By way of background, Morrisons faced a class civil action from its employees after Andrew Skelton, who was employed as a senior internal auditor at the firms head office in Bradford, leaked employee data after receiving a verbal warning from his employer following disciplinary proceedings (which were unrelated to his trusted duties). Skelton appears to have taken umbrage with this decision and in a clear abuse of his positon of trust, proceeded to send information about staff salaries, bank details and National Insurance numbers to several newspapers and also posted it on data sharing websites, in a data breach which cost the company more than £2m to rectify.

Skelton was subsequently prosecuted by the Crown Prosecution Service ("CPS") and found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data. In July 2015 he received an eight year prison sentence for fraud and eighteen months sentence for each of the DPA and Misuse of Computers offences, to run concurrently.

In a unanimous ruling the Supreme Court panel of five judges concluded Morrisons was not "vicariously liable" for the actions of Skelton. This decision overturned a landmark class civil action by 9000 employess for compensation. The High Court had previously ruled Morrisons was liable, with the Court of Appeal upholding that decision.

Lord Reed, stated that Skelton had leaked the data because of a “grudge”. He added that employers could only be held liable for the actions of employees if they were “closely connected” with their duties at work and that …“in the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier…"

The successful prosecution of Skelton was a prime example of how an effective working partnership between industry and the Police can lead to an offender being brought to justice following a lengthy and complex investigation. When the Police and CPS do undertake a prosecution, it is always good practice for the victim (in this case, Morrisons) to assist as much as they can, as was the case here.

However, this may well be the exception to the rule. Despite the government's recent pledge to recruit 20,000 additional police officers over the next three years, current police budget cuts continue to bite and our criminal justice system faces increased pressure. According to the most recent Home Office data showing in the year ending September 2018 only 8.2 per cent of 5 million recorded crimes were prosecuted by the CPS, down from 9.5 per cent the previous year. The proportion of offences charged fell across all categories, with less than 1% of cybercrimes reported leading to prosecution and just 1 in 500 frauds committed on people in England and Wales being prosecuted by police, despite a 20% rise in the crime, new figures show.
It is therefore not uncommon for the Police and Prosecutors to take the view that such data breach matters are difficult to investigate and more "civil" in nature rather than criminal. So, what if in the future the CPS make a decision not to prosecute? This raises the interesting proposition as to whether the victim (be it a corporate or an individual) of a data breach (or indeed any similar cybercrime offences) may be able to utilise and successfully deploy a private prosecution as an alternative to civil litigation, which can be often be drawn out and expensive as a mechanism in order to seek justice.

By way of definition a private prosecution is a useful and alternate means of recourse open to either an individual or a corporate who has been the victim of a crime and wishes to commence criminal proceedings themselves. It is important to note that the victim must have previously exhausted all other avenues open to them.

In addition it is imperative that any private prosecution brought isn't vexatious and satisfies the two limbs of the CPS Code of Conduct, namely is there enough reliable and credible evidence against a defendant to provide a “realistic prospect of conviction” and whether it is in the public interest for the CPS to bring the case to court.

In light of the current climate private prosecutions are only likely to increase over the coming years as individuals and corporates turn to them as a means of recourse in order to seek justice. The Morrisons case demonstrates the importance of corporates who are the victims of crime being able to undertake their own prosecutions so long as they meet the necessary criteria should the CPS decide against pursuing those responsible. The criminal prosecution in this case, we say, was a significant step towards the ultimate outcome.

Should you require any further information in relation to private prosecutions then please contact Jeremy Bird or Simon Belfield.