Morrisons vows to fight data leak compensation ruling

Morrisons has vowed to “fight all the way” after a judge allowed a compensation claim by thousands of staff whose personal details were posted on the internet by a grudge-bearing ex-employee.

The judge today admitted he was “troubled” at the implications of the decision for businesses across the UK, which could leave Morrisons forced to make a large payout despite claiming it had done all it could to protect staff after becoming aware of the incident.

The case follows a security breach in 2014 when Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of nearly 100,000 employees - including their names, addresses, bank account details and salaries - by putting it online and sending it to newspapers.

Skelton, who was subsequently jailed for eight years, had been sacked for dealing in legal highs while at the company.

Today, judge Mr Justice Langstaff found Morrisons vicariously liable but not directly liable for the data leak. However, he expressed he was “troubled” by the implications of the decision and gave the retailer leave to appeal, which Morrisons is set to do next year..

The decision means a group of 5,518 former and current Morrisons employees can claim for compensation, should Morrisons lose what promises to be a long and protracted legal battle in the appeal courts, and potentially opens the doors to the other 94,480 individuals affected.

Lawyers for the staff said the data breach exposed them to the risk of identity theft and potential financial loss and that Morrisons was responsible for breaches of privacy, confidence and data protection laws.

They are seeking compensation for the upset and distress caused. Mr Justice Langstaff ruled: “I hold that the Data Protection Act (DPA) does not impose primary liability upon Morrisons; that Morrisons have not been proved to be at fault by breaking any of the data protection principles, save in one respect, which was not causative of any loss; and that neither primary liability for misuse of private information nor breach of confidentiality can be established.

“I reject, however, the arguments that the DPA upon a proper interpretation is such that no vicarious liability can be established, and that its terms are such as to exclude vicarious liability even in respect of actions for misuse of private information or breach of confidentiality.”

In July 2015 Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and jailed for eight years.

The trial heard that his motive appeared to have been a grudge over a previous incident where he was accused of dealing in legal highs at work.

Counsel Jonathan Barnes said the company had already been awarded £170,000 compensation against Skelton, and his other “victims” should be compensated too.

Anya Proops QC, for Morrisons, said Skelton had already caused serious damage to the firm, not least because it incurred more than £2m in costs in responding to the misuse, including providing new anti-fraud protection, and could have to compensate all 100,000 individuals affected.

Proops said it had not been established that Morrisons fell short when it came to data security, and Skelton’s criminal disclosures could not be said to have been affected in the “course of his employment””.

“The imposition of vicarious liability in this case would otherwise result in the untenable situation where the court was effectively realising Skelton’s criminal objective of damaging Morrisons’ interests in the most absolute fashion, and otherwise exposing Morrisons to a compensation burden of a grossly disproportionate order.”

However, Nick McAleenan of JMW Solicitors, who acted on behalf of the employees, welcomed the judgment.

“This private information belonged to my clients. They are Morrisons checkout staff, shelf stackers, factory workers - ordinary people doing their jobs.

“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.”

Morrisons said it would use every legal avenue to appeal the ruling starting with the Court of Appeal, with a hearing expected next year.

A spokesman said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty of his crimes.

“The judge found that Morrisons was not at fault in the way it protected colleagues’ data, but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so we will be appealing this judgement.”

Morrisons released the timeline of its action after the data breach, which it said showed the extent to which it had gone to protect its employees details.

In March 2014, Morrisons was contacted by the Bradford Telegraph and Argus newspaper, which said it had received an anonymous message that around 100,000 Morrisons employee details had been placed on the internet on a US file-sharing website. It also received a disc containing those details.

That evening, Morrisons said it took steps in the United States to get the data taken down.

The following day Morrisons said it informed colleagues that employee data had been stolen, placed on to the internet and then taken down. They were assured that they would not be financially disadvantaged and that the company would provide anti-fraud protection for their bank accounts. An internal and police investigation commenced.

Morrisons insists that, to date, it is not aware of any employees losing money as a result of the data breach.