Morrisons loses data breach appeal

Morrisons is facing a potentially massive payout after losing an appeal in the High Court against a ruling from December 2017 which found the supermarket chain legally responsible for a data breach in 2014.

The result paves the way for compensation claims by 5,518 former and current staff members whose data was posted on the internet.

The original incident stemmed from senior internal auditor Andrew Skelton leaking the personal details of 100,000 staff members, including bank account details, dates of birth, salary information, national insurance numbers, addresses and phone numbers.

Morrisons argued that it could not be held directly or vicariously liable for the criminal misuse of the data, and that any other conclusion would be grossly unjust. Although Skelton received eight years in prison for his actions, the High Court still ruled that Morrisons was “vicariously liable” for his actions.

The appeal sought to reverse the UK’s first class action data breach case, denying all legal responsibility and leaving claimants without any compensation.

However, master of the rolls Terence Etherton, lord justice Bean and lord justice Flaux agreed with the High Court judge that Morrisons was vicariously liable “for the torts committed by Skelton against the claimants”.

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, which represented the claimants, called the judgment a wake-up call for business.

“People care about what happens to their personal information, they expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims.

“It’s important to remember that data protection is not solely about protecting information – it’s about protecting people,” he added.

A spokesman for Morrisons pointed out: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.”

The statement added that the retailer will now appeal to the Supreme Court.

    Share Story:

Recent Stories

Find out how HULFT can help you manage data, integration, supply chain automation and digital transformation across your retail enterprise.
Talking shop: retail technology solutions from Brother
Retail Systems editor Peter Walker sits down with Brother’s senior commercial client manager Jessica Stansfield to talk through the company’s solutions for retailers and hospitality businesses, what’s new in labelling technology, and the benefits of outsourcing printing.