The class action case against Morrisons by staff who had their payroll data leaked online by a disgruntled employee has reached the Court of Appeal today.
Last year the High Court ruled that the supermarket was vicariously liable for the data breach and that employees should receive compensation.
In 2014 Andrew Skelton, an internal auditor at Morrisons, posted online the names, addresses, bank account details, national insurance numbers and salaries of more than 100,000 employees. At his trial, the court heard how he had held a grudge against the retailer after it accused him of dealing drugs at work. He was subsequently jailed for eight years.
More than 5,000 claimants are seeking compensation in the case which Morrisons is trying to reverse. JMW Solicitors, which is representing the claimants, said the supermarket is attempting to deny the claimants compensation, but Morrisons has said the High Court judge previously ruled the retailer was “not at fault”.
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, said: “This is a classic David and Goliath case – the victims here are shelf stackers, check-out staff and factory workers; just ordinary people doing their jobs.
“They were obligated to hand over sensitive financial and personal information to Morrisons… and had every right to expect that information to be kept confidential.
“Instead of recognising the impact on its employees, of what was a very serious data breach, Morrisons now seeks to avoid legal responsibility and protect its £374m annual profits – and despite the receipt of its own compensation to the tune of £170,000.”
McAleenan added that Mr Justice Langstaff’s finding of liability provided reassurance to the many millions of people in this country whose own data is held by their employer. “‘Insiders’ are responsible for the vast majority of data breaches, so this case is particularly important,” he said.
“It cannot be right that there is no legal recourse where employee information has been handed to one of the largest companies in the UK and then leaked on such a large scale, in such circumstances.
“It was at Morrisons’ head office, in Morrisons’ time and using Morrisons’ equipment that Andrew Skelton made his copy of the claimants’ confidential payroll information. The claimants say that it is only right that Morrisons be held legally responsible for the harm caused, which arose from Skelton’s employment by Morrisons.”
If the Court upholds the ruling of vicarious liability, there will then be a further trial to assess the victims’ damages.
In last year’s High Court judgment, where he granted Morrisons leave to appeal against vicarious liability, Mr Justice Langstaff said: “The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I may seem to render the court an accessory in furthering his criminal aims.”
In a statement Morrisons said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. A judge previously found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so that’s why we are appealing this judgment.”