Morrisons to Challenge High Court Breach Liability Ruling
The Supreme Court has granted the supermarket the right to launch a second appeal against the High Court’s ruling that found it liable for a data leak perpetrated by a former employee.
Supermarket chain Morrisons is set to launch a second appeal to acquit itself of liability charges brought against it over a data breach, which affected more than 100,000 employees.
Last October, the Court of Appeal upheld a December 2017 High Court ruling against Morrisons that found the supermarket liable for a 2014 data breach in which a disgruntled former employee, Andrew Skelton, posted the personal data of thousands of workers online. Skelton was subsequently sentenced to eight years in prison for his behaviour.
Skelton, who at the time was a senior internal auditor at the company’s Bradford headquaters, copied and then posted Morrisons’ staff payroll information on data-sharing websites and sent the information to the press. The exposed data included bank account details, dates of birth, salary information, National Insurance numbers, addresses and phone numbers.
As a result of the breach more than 5,500 claimants are seeking compensation from the supermarket. At the 2018 ruling, the Master of the Rolls, refused the company permission to appeal further, which prompted Morrisons to apply directly the Supreme Court for permission to appeal again.
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, the legal firm representing the claimants, said: “While the decision to grant permission for a further appeal is of course disappointing for the claimants, we have every confidence that the right verdict will, once again, be reached.
“It cannot be right that there should be no legal recourse where employee information is handed in good faith to one of the largest companies in the UK and then leaked on such a large scale.
“This was a very serious data breach which affected more than 100,000 Morrisons’ employees. They were obliged to hand over sensitive personal and financial information and had every right to expect it to remain confidential. Instead, they were caused upset and distress by the copying and uploading of the information,” he said.
In a statement made by the company after losing its first appeal, it said that the company had not been blamed by the courts for how it protected employee data. “But they found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.
“We believe we should not be held responsible, so that is why we will now appeal to the Supreme Court”.