Supermarket facing payout over data leak
SUPERMARKET giant Morrisons faces a potentially “vast” payout after losing a challenge against a ruling which gave the go-ahead for compensation claims by thousands of staff whose personal details were posted on the internet.
Three Court of Appeal judges in London announced their decision yesterday on the issue of liability in the latest round of the first data leak class action in the UK.
Litigation was launched after a security breach in 2014 when Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of around 100,000 employees.
Information included their names, addresses, bank account details and salaries.
A group of 5,518 former and current employees said this exposed them to the risk of identity theft and potential financial loss and that Morrisons was responsible for breaches of privacy, confidence and data protection laws.
They are seeking compensation for the upset and distress caused in a case with potential implications for every individual and business in the country.
Morrisons said it could not be held directly or vicariously liable for the criminal misuse of the data, and that any other conclusion would be grossly unjust.
But a High Court judge found in December that vicarious liability had been established.
The company challenged that finding at a recent Court of Appeal hearing before Master of the Rolls Sir Terence Etherton, Lord Justice Bean and Lord Justice Flaux.
Rejecting the appeal brought by Morrisons, the appeal judges said they agreed with the High Court judge that Morrisons was “vicariously liable for the torts committed by Mr Skelton against the claimants. The appeal is dismissed.”
In July 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data and jailed for eight years.
During the appeal hearing, Anya Proops QC, for Morrisons, told the judges that, if the High Court decision was allowed to stand, the company was exposed to “compensation claims on a potentially vast scale”.
A spokesman for Morrisons said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.
“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
“We are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”