Morrisons has said it will appeal to the Supreme Court after it lost a challenge against a High Court ruling that it was liable for a data breach which saw private details for nearly 100,000 employees posted online.
The Court of Appeal today upheld a decision against the supermarket, issued in December last year, in the UK’s first data leak class action case, which could leave it liable to a massive compensation payout.
It follows a security breach in 2014 when Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of nearly 100,000 employees - including their names, addresses, bank account details and salaries - by putting it online and sending it to newspapers.
Skelton, who was subsequently jailed for eight years, had been sacked for dealing in legal highs while at the company.
After the hearing Morrisons immediately set out its intention to appeal to the Supreme Court.
“A former employee of Morrisons used his position to steal data about our colleagues and place it on the internet and he’s been found guilty for his crimes,” said a spokesman. “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”
Morrisons has previously told The Grocer it will “fight all the way” to defend its actions.
The High Court judge last December admitted he was “troubled” at the implications of the decision for businesses across the UK, which could leave Morrisons forced to make a large payout despite claiming it had done all it could to protect staff after becoming aware of the incident.
But three Court of Appeal judges rejected the company’s appeal, saying they agreed with the High Court’s earlier decision that Morrisons was “vicariously liable for the torts committed by Mr Skelton against the claimants”.
In depth: How do supermarkets’ privacy hubs measure up on GDPR?
Unless Morrisons wins its final appeal, today’s ruling paves the way for 5,518 claimants to receive compensation.
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, representing the claimants, said: “This case involves a significant data leak which affected more than 100,000 Morrisons employees - checkout staff, shelf stackers and factory workers, hard-working people on whom Morrisons’ entire business relies. They were obliged to hand over sensitive personal information and had every right to expect it to remain confidential, but a copy was made and it was uploaded to the internet and they were put at risk of fraud, identity theft and a host of other problems. Unsurprisingly, this caused a huge amount of worry, stress and inconvenience.
“The claimants are obviously delighted with the Court of Appeal’s ruling. The judges unanimously and robustly dismissed Morrisons’ legal arguments. These shop and factory workers have held one of the UK’s biggest organisations to account and won - and convincingly so. This latest judgment provides reassurance to the many millions of people in this country whose own data is held by their employer.
“The judgment is a wakeup call for business. People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information - it’s about protecting people.”
Read more: Tesco CEO Dave Lewis tells court of ‘shock’ over profits
Richard Hayllar, a partner at UK law firm TLT, said he believed today’s judgment could lead to data breaches becoming the next big claims theme for businesses.
“The fact that the Court of Appeal has confirmed that Morrisons is vicariously liable for the loss resulting from the criminal actions of a former employee will sound warning bells and have significant ramifications for every business,” he said.
“Businesses will need to review who has access to data and how it is protected. This will involve further investment in data loss prevention and limiting access to data to prevent a breach from happening.”
No comments yet