Supermarket chain Morrisons has appeared at the Court of Appeal this week after being ordered to pay compensation to thousands of employees whose personal information was published online by an aggrieved member of staff. The appeals case has come to an end with judgement currently reserved.
Trouble started brewing for Morrisons back in 2014 when Andrew Skelton, then a senior internal auditor at the company’s Bradford headquarters, leaked payroll data of more than 100,000 employees, including their names, addresses, salaries and bank account details.
In court the following year, he was said to have a “considerable grudge” against Morrisons after he was accused of dealing in ‘legal highs’ in the workplace.
Skelton was found guilty of fraud and of disclosing personal details. He was jailed for eight years, while Morrisons spent more than £2 million dealing with the breach.
In 2017, the High Court ruled that a group of more than 5,000 former and current employees had been exposed to the risk of identity theft and potential financial loss.
It declared that Morrisons was liable for the release of information and its employees were entitled to compensation. The court stated that, despite Skelton’s guilt, he had been acting in the course of his employment when he leaked the data.
Morrisons, however, believes it should not be held directly or vicariously liable for the criminal misuse of the data.
This week, the supermarket chain wants the judgement to be “overturned”, in the words of barrister Anya Proops QC, because it feels the ruling of High Court judge Mr Justice Langstaff was “highly divergent” from data protection laws passed by Parliament.
The case is the UK’s first data leak class action. As such, the Court of Appeal’s decision will have important implications for other organsiations, which could potentially also find themselves being held to account due to data breaches caused by rogue employees.