Morrisons takes fight over data breach liability to Supreme Court

By:

Morrissons shareholder J O Hambro said the supermarket has”a growing reputation in convenience, wholesale and non-food retailing and a strong presence in forecourt retailing”.

Morrisons will begin its final appeal to the Supreme Court this week after losing a landmark case over the liability of employers in staff data breaches. 

The supermarket giant lost an initial challenge at the Court of Appeal in October last year after a judge ruled that the supermarket was legally liable for a former employee leaking the payroll information of 100,000 members of staff. 

Read more: Morrisons granted permisson for Supreme Court appeal over data breach ruling

Morrisons argued it could not be held directly or vicariously liable for the breach and is appealing its case for a final time this week. 

More than 9,200 Morrisons employees – an additional 3,747 since the court hearing in October – have brought a claim against the firm after sensitive data – including salaries and bank details – was posted online by a disgruntled employee. 

The claimants are seeking damages for upset and distress caused after auditor Andrew Skelton leaked their personal data online and to newspapers. 

Skelton, who held a grudge against the company after facing disciplinary action, was jailed for eight years in 2015. 

The court said last year that Morrisons was “vicariously” liable for the misuse of data under their control, in a ruling on the UK’s first data breach class action that could have huge financial and technical repercussions for firms. 

Ahead of the Supreme Court case, which is expected to conclude on Thursday, Nick McAleenan, a partner at JMW Solicitors representing the claimants, said: “This will be Morrisons’ second – and final – attempt to exonerate itself after being found legally responsible by the High Court and Court of Appeal for a large-scale data breach, which affected tens of thousands of its staff.” 

Pulina Whitaker, partner at law firm Morgan Lewis, said the case is “significant for all organisations that handle personal data”.

Read more: Morrisons and Amazon: Retail’s newest BFFS

She said: “It demonstrates that even where an employer has done everything it reasonably can to prevent employees misusing personal data, and is not itself legally at fault for breaching technical and organisational security breaches under the Data Protection Act, it may nevertheless be vicariously liable for the actions of those employees.”

Morrisons declined to comment.

Main image credit: Getty

Subscribe

Subscribe to the City AM newsletter to have our top stories delivered directly to your inbox.

Subscribe
By signing up to our newsletters you agree to the Terms and Conditions and Privacy Policy.