Morrisons launches appeal to landmark data breach ruling

2726

Morrisons is set to begin its appeal against a landmark data breach case in which it was found to be “vicariously liable”.

Tomorrow the retailer will begin its appeal against a High Court ruling from December 2017 which found it legally responsible for a data breach which saw 100,000 staff members’ bank account details, dates of birth, salary information, national insurance numbers, addresses and phone numbers leaked to the internet.

The 2014 breach saw disgruntled senior internal auditor Andrew Skelton upload the staff members’ details to data sharing websites.

Though Skelton received eight years in prison for his actions, the court ruled that Morrisons was not “directly liable” but was “vicariously liable” for the actions of its employee.

Morrisons is seeking to reverse the ruling of what was the UK’s first class action data breach case, denying all legal responsibility and leaving claimants without any compensation.

5518 claimants are currently  seeking compensation from the grocer over the 2014 data breach.

Although Morrisons has already paid out income protection measures, the claimants argue they deserve compensation as they were caused significant stress due to being exposed to the risk of identity fraud and financial loss.

If Morrisons is unsuccessful in reversing the ruling, a ‘quantum’ trial will follow to assess how much the victims will receive in compensation.

“This is a classic David and Goliath case – the victims here are shelf stackers, checkout staff and factory workers; just ordinary people doing their jobs,” JMW Solicitors data privacy law specialist Nick McAleenan, who is representing the claimants, said.

“They were obligated to hand over sensitive financial and personal information to Morrisons – including national insurance numbers, dates of birth and bank account details – and had every right to expect that information to be kept confidential.

“Instead of recognising the impact on its employees, of what was a very serious data breach, Morrisons now seeks to avoid legal responsibility and protect its £374m annual profits – and despite the receipt of its own compensation to the tune of £170,000.”

Click here to sign up to Retail Gazette’s free daily email newsletter