Morrisons faces a potentially “vast” payout after it losing its appeal on a landmark data breach court ruling in which it was found to be “vicariously liable”.
The result of the appeal now paves the way for compensation claims by 5518 former and current staff members whose personal details were posted on the internet.
Morrisons had sought to challenge a High Court ruling from December 2017 which found the retailer legally responsible for a massive data breach in 2014.
The incident saw former senior internal auditor Andrew Skelton leak the personal details of 100,000 staff members, including bank account details, dates of birth, salary information, national insurance numbers, addresses and phone numbers.
Morrisons argued that it could not be held directly or vicariously liable for the criminal misuse of the data, and that any other conclusion would be grossly unjust.
Although Skelton received eight years in prison for his actions, the High Court still ruled that Morrisons was “vicariously liable” for his actions.
Morrisons’ appeal sought to reverse the ruling of what was the UK’s first class action data breach case, denying all legal responsibility and leaving claimants without any compensation.
However, three Court of Appeal judges in London today announced their decision on the issue of liability, dissmissing the appeal brought by Morrisons.
Master of the Rolls Sir Terence Etherton, Lord Justice Bean and Lord Justice Flaux said that they agreed with the High Court judge that Morrisons was “vicariously liable for the torts committed by Mr Skelton against the claimants.”
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represents the claimants, said: “This case involves a significant data leak which affected more than 100,000 Morrisons employees – checkout staff, shelf-stackers, and factory workers; hard-working people on whom Morrisons’ entire business relies.
“They were obliged to hand over sensitive personal information and had every right to expect it to remain confidential, but a copy was made and it was uploaded to the internet and they were put at risk of fraud, identity theft and a host of other problems. Unsurprisingly, this caused a huge amount of worry, stress and inconvenience.
“The claimants are obviously delighted with the Court of Appeal’s ruling. The judges unanimously and robustly dismissed Morrisons’ legal arguments.
“These shop and factory workers have held one of the UK’s biggest organisations to account and won – and convincingly so. This latest judgment provides reassurance to the many millions of people in this country whose own data is held by their employer.
“The judgment is a wake-up call for business. People care about what happens to their personal information.
“They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information – it’s about protecting people.”
A spokesman for Morrisons said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.
“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.
“In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”