Court gears up to hear Morrisons’ appeal against landmark data breach ruling
Supermarket giant Morrisons will launch an appeal tomorrow against the High Court's decision to find it vicariously liable for a data breach that hit over 100,000 employees.
In December last year the supermarket chain was found to be legally responsible for the breach, which was carried out by former employee Andrew Skelton.
Skelton, a former senior internal auditor at Morrisons' Bradford headquarters, posted sensitive information about his colleagues on the internet, including their bank account details, dates of birth, salary information, National Insurance numbers, addresses and phone numbers.
Skelton was jailed for eight years for the incident, which the court heard he carried out against his employer in an act of vengeance.
More than 5,000 claimants represented by law firm JMW Solicitors are seeking compensation from Morrisons over the breach, in what is the UK's first data-leak class action.
The claimants' lawyers argue that in seeking to reverse the finding of vicarious liability – whereby a company is deemed responsible for the tortious acts of its employer – Morrisons is denying compensation to its victims.
Read more: Morrisons turnaround gathers pace in best sales quarter in nine year
JMW's Nick McAleenan said: “This is a classic David and Goliath case – the victims here are shelf stackers, checkout staff and factory workers; just ordinary people doing their jobs. They were obligated to hand over sensitive financial and personal information to Morrisons – including National Insurance numbers, dates of birth and bank account details – and had every right to expect that information to be kept confidential.
“Instead of recognising the impact on its employees, of what was a very serious data breach, Morrisons now seeks to avoid legal responsibility and protect its £374m annual profits and despite the receipt of its own compensation to the tune of £170,000. It seeks to reverse the High Court’s findings of vicarious liability made in the claimants’ favour, thereby denying the claimants any compensation whatsoever for the considerable distress and inconvenience caused by Mr Skelton’s actions."
During the High Court hearing last year judge Mr Justice Langstaff granted Morrisons permission to appeal the case, which it is now doing in the Court of Appeal. He did this on the grounds he was "troubled" that his findings may have rendered the court "an accessory in furthering his [Skelton's] criminal aims".
A spokesperson for Morrisons said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. A judge previously found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.
"Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so that's why we are appealing this judgment.”