Morrisons has been found liable for a data breach which saw nearly 100,000 staff members personal details made public.
In what is thought to be the first class action data leak case in the UK, High Court Justice Langstaff ruled that the retailer should compensate employees for “distress” caused by the leak.
“I hold that the Data Protection Act (DPA) does not impose primary liability upon Morrisons; that Morrisons have not been proved to be at fault by breaking any of the data protection principles, save in one respect which was not causative of any loss; and that neither primary liability for misuse of private information nor breach of confidentiality can be established,” the judge said.
“The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of [former senior internal auditor Andrew] Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.
“I grant leave to Morrisons to appeal my conclusion as to vicarious liability, should they wish to do so, so that a higher court may consider it, but would not, without further persuasion, grant permission to cross-appeal my conclusions as to primary liability.”
A total of 5518 current and former employees are now expected to receive compensation from Morrisons, with the grocer’s lawyer during the case Anya Proops QC warning that the this will likely open the door for the other 94,480 victims to claim compensation.
Skelton was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data in 2015 after he released thousands of employees’ bank account details and home addresses online and to the press.
Morrisons has confirmed that it would appeal the ruling, and added that it was not aware of any employee losing money as a result of the data breach.
“A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes,” the grocer said in a statement.
“The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.
“The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company.
“We believe we should not be held responsible so we will be appealing this judgement.”
Nick McAleenan partner at JMW Solicitors who represented the claimants added: “The High Court has ruled that Morrisons was legally responsible for the data leak.
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.
“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.
“Data breaches are not a trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information – it is about protecting people.”