The Court of Appeal has upheld the judgment finding Morrisons vicariously liable for the leak of payroll data by a disgruntled employee, but the supermarket says it will take the case to the Supreme Court.
Legal commentators have said that employers will be panicking in light of today’s “bewildering” judgment. Morrisons said it will appeal to the Supreme Court.
In 2014 Andrew Skelton, an internal auditor at Morrisons posted the names, addresses, bank account details, national insurance numbers and salaries of more than 100,000 employees online. At his criminal trial, he was jailed for eight years.
Last year the High Court ruled that the supermarket was vicariously liable for the data breach and that employees should receive compensation. More than 5,500 claimants are seeking a payout in the case, although there has been no indication that anyone has suffered financially from the leak.
Nick McAleenan, partner at JMW Solicitors, which is representing the claimants, said: “[Employees] were obliged to hand over sensitive personal information and had every right to expect it to remain confidential, but a copy was made and it was uploaded to the internet and they were put at risk of fraud, identity theft and a host of other problems. Unsurprisingly, this caused a huge amount of worry, stress and inconvenience.
“The claimants are obviously delighted with the Court of Appeal’s ruling. The judges unanimously and robustly dismissed Morrisons’ legal arguments.”
He added that the judgment was a “wake-up call” for business. “People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information – it’s about protecting people”.
But Susan Hall, intellectual property lawyer at Clarke Willmott, said: “This is a bewildering judgment. The first instance decision was in many respects shocking, with the judge himself acknowledging that Morrisons had done nothing wrong…
“The verdict in the High Court effectively achieved the former employee’s purpose of punishing Morrisons by making them liable for potentially millions of pounds in compensation, through no fault of their own. That it has been upheld by the Court of Appeal will have employers up and down the country panicking as there is very little they can do to guard against a similar situation.”
A Morrisons spokesman said: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of [a] former employee, even though his criminal actions were targeted at the company and our colleagues.
This is a bewildering judgment. The first instance decision was in many respects shocking, with the judge himself acknowledging that Morrisons had done nothing wrong” – Susan Hall, Clarke Willmott
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”
In dismissing the case at the Court of Appeal appeal today, three senior judges said they found Morrisons’ arguments “unconvincing”.
Their judgment read: “Mr Skelton’s nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.”
They acknowledged that corporate system failures or employees’ negligence might lead to a large number of claims against a company for “potentially ruinous amounts” but said that the solution is to insure against such catastrophes.
In last year’s High Court decision, the judge acknowledged that his judgement “may seem to render the court an accessory in furthering [Mr Skelton’s] criminal aims.”
Oz Alashe, CEO of cybersecurity training platform CybSafe said: “It is hard to see what Morrisons could have realistically done to prevent this situation from arising. Nevertheless, the message from today’s ruling is clear: even when a company is the victim of criminal activity from within its own organisation, ultimate responsibility for keeping personal data secure rests on its shoulders.”