Morrisons loses ruling on data breach challenge as compensation looms
Supermarket giant Morrisons faces a mass payout to staff after losing a major court case over a data leak this afternoon, in a ruling which could have implications for all UK businesses.
The Bradford-based chain lost its appeal against a High Court ruling that it is legally liable for a former employee leaking personal information about 100,000 staff members. It may now face a compensation bill running into millions.
In the first data leak class action in the UK, more than 5,000 Morrisons workers brought a claim against the company for damages for the upset and distress caused, after auditor Andrew Skelton stole their personal data, including salary and bank details, and sent it to national newspapers and posted it online.
Skelton, who leaked the data because of a grudge, was jailed for eight years for the offence in 2015.
At the Court of Appeal Morrisons, Britain’s fourth-biggest supermarket, had argued it was not responsible for the breach and could not be held directly or vicariously liable for it – but today the court disagreed, paving the way for a mass payout.
Read more: Morrisons finance boss promoted in wake of turnaround plan
The landmark case has clear implications for all companies, with legal experts arguing that the ruling was a stark warning to businesses that they are liable for the illegal acts of their employees.
“The fact that the Court of Appeal has confirmed that Morrisons is vicariously liable for the loss resulting from the criminal actions of a former employee will sound warning bells and have significant ramifications for every business,” according to Richard Hayllar, partner at UK law firm TLT.
Harry Abrams, employment solicitor at Seddons, said that “we are seeing a diminution of an employer’s ability to rely on the traditional defence that the employee was on a frolic of their own.”
Clarke Willmott intellectual property lawyer Susan Hall said: “The verdict in the High Court effectively achieved the former employee’s purpose of punishing Morrisons by making them liable for potentially millions of pounds in compensation, through no fault of their own. That it has been upheld by the Court of Appeal will have employers up and down the country panicking as there is very little they can do to guard against a similar situation.”
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors who represents the claimants, said: “The judgment is a wakeup call for business. People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information – it’s about protecting people”.
Morrisons immediately said it would appeal to the highest legal authority of all, the Supreme Court.
A spokesman for Morrisons said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.
“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the supreme court.”