Morrisons has won a Supreme Court appeal over whether they should be held liable for £55million in damages after an employee leaked the payroll data of 100,000 colleagues.
Andrew Skelton was jailed for eight years in 2015 for orchestrating the leak after he was disciplined by bosses for dealing legal highs from his office desk.
The supermarket chain had previously been held responsible for their former senior internal auditor's actions and the multi-million pound damages they caused.
But a panel of five Supreme Court justices unanimously ruled today that Morrisons was not 'vicariously liable' for the behaviour of Skelton, who disclosed staff information on the internet and also sent it to newspapers.
Morrisons (pictured) has won its Supreme Court appeal over whether they should be held liable after an employee leaked payroll data for 100,000 members of staff
Announcing the decision via livestream, the court's president Lord Reed said Skelton, who worked at the supermarket's Bradford headquarters, leaked the data because of a 'grudge' over the previous disciplinary warning.
The judge said employers could only be held liable for the actions of employees if they were 'closely connected' with their duties at work.
He said: 'In the present case, Skelton was not engaged in furthering Morrisons' business when he committed the wrongdoing in question.
'On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier.
'In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.'
Legal action was launched in 2014 over Skelton's data breach, which saw the details of 100,000 staff members released, including their names, addresses, bank account details and salaries.
Lawyers for more than 9,000 claimants have described the action as a 'classic David and Goliath case'.
They are seeking compensation for the upset and distress caused in a case with potential implications for every individual and business in the country.
In July 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years.
Former Morrisons senior internal auditor Andrew Skelton (pictured) was jailed for eight years in 2015 for orchestrating the leak after he was disciplined by his bosses for dealing legal highs from his office desk
At a hearing in November last year, Lord Pannick QC, representing the supermarket, said it could not be held directly or vicariously liable for the criminal misuse of the data, and that any other conclusion would be grossly unjust.
But, in previous rulings, both the High Court and Court of Appeal held that it is 'vicariously liable' for Skelton's actions.
It was argued on behalf of Morrisons that if those findings were allowed to stand, the company, although 'entirely blameless', would be exposed to 'compensation claims on a potentially vast scale'.
Pictured: Former senior internal auditor Andrew Skelton outside Bradford Crown Court in July 2015
The latest round of the litigation at the Supreme Court followed a blow for Morrisons at the Court of Appeal in October last year, when three leading judges upheld a 2017 High Court finding on the issue of liability.
Lord Pannick submitted that the lower courts made 'errors of law' and reached the 'wrong answer' on the question of liability.
Lawyers for the claimants argued that the company's appeal should be dismissed as 'Morrisons is vicariously liable to the claimants for the conduct of its employee Mr Skelton'.
The Supreme Court was asked to decide whether the Data Protection Act 1998 excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence.
It was also asked to rule on whether the Court of Appeal 'erred in concluding that the disclosure of data' by its employee occurred in the course of his employment, for which the company should be held vicariously liable.
A statement issued by Morrisons after the ruling today said: 'The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.
'We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he's been found guilty of this crime and spent time in jail.
'A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft.
'We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged.
'In fact, we've seen absolutely no evidence of anyone suffering any direct financial loss.'