Morrisons takes landmark data breach ruling to the Court of Appeal

Thousands of staff from Morrisons supermarket who had their personal details put online are to have an initial ruling taken to the Court of Appeal.

A decision made in the High Court in 2017 said that Morrisons was at fault for the data leak, which led to Britain’s first data leak class action. It was judged that the employees affected by the breach were entitled to compensation which could run into thousands of pounds.

The case reaches back to 2014 when a senior auditor at Morrisons HQ in Bradford leaked private details of over 100,000 workers. The data packages contained information regarding staff names, pay rates, bank accounts, and home addresses.

In court, it was divulged that the auditor in question – Mr Andrew Skelton – held a major grudge against his employer at the time because of accusations aimed at him regarding ‘legal high’ drug use in the workplace.

Despite Mr Skelton’s actions, the High Court ruled that Morrisons was “vicariously” liable because the perpetrator had been operating within his capacity as a firm employee when the information was made public.

Even so, a high number of former and current Morrisons workers had their personal details put at risk openly online, making them vulnerable to ID theft and potential financial loss. The employees were therefore entitled to compensation, but Morrisons is appealing against the ruling.

Morrisons’ decision to appeal could set a new precedent for other firms who may also have to pay compensation for the behaviour of disgruntled employees.

The popular supermarket chain has denied it can be held liable, vicariously or otherwise, for the transgression and will make its appeal case in the Court of Appeal on Tuesday.

As reported by the BBC website, Nick McAleenan of JMW Solicitors is representing the claimants.

“It cannot be right that there is no legal recourse where employee information has been handed to one of the largest companies in the UK and then leaked on such a large scale, in such circumstances,” he said.

McAleenan’s aim is to reverse the ruling made in the High Court, while Morrisons has said that the employees are not entitled to any compensation despite Andrew Skelton’s actions leading to “considerable distress and inconvenience” for the victims.

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.