Morrisons Loses Appeal Over Rogue Employee Data Leak
The supermarket chain faces a “vast fine” but plans to take the case to the Supreme Court.
Morrisons faces a multimillion pound payout after losing an appeal against a ruling that opened the floodgates to compensation claims from thousands of the supermarket’s employees who had their personal information published online.
The case stems from a data breach in 2014, in which a disgruntled former senior internal auditor at the supermarket’s Bradford office, Andfdrew Skelton, distributed the payroll details of roughly 100,000 employees online. The data included their names, addresses, salaries and bank account details.
A group of 5,518 former and current staff who were affected by the breach took the matter to the courts stating they deserved to be compensated for the distress and upset the incident had caused them.
Criminal use of data
The firm said it should not be held responsible for the criminal use of the data by an individual, and that that individual alone should be held to account. Skelton had already been found guilty of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years.
However, in December 2017, the High Court declared that Morrisons was vicariously liable for the data breach.
During the recent appeal hearing, Anya Proops QC, for Morrisons, asserted that if the High Court’s decision was permitted to stand, Morrisons would be exposed to “compensation claims on a potentially vast scale”.
The Court of Appeal on Monday dismissed Morrisons’ appeal, setting a precedent for data privacy, but also for businesses that may also suffer at the hands of rogue employees.
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the claimants, said: “The judgement is a wake-up call for business. People care about what happens to their personal information.
“They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information. It’s about protecting people.”
A spokesman for Morrisons said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.
“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.
“In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”