Morrisons payroll data breach reaches Court of Appeal

Andy Rain / EPA-EFE / REX / Shutterstock

The class action case against Morrisons by staff who had their payroll data leaked online by a disgruntled employee has reached the Court of Appeal today.

Last year the High Court ruled that the supermarket was vicariously liable for the data breach and that employees should receive compensation.

In 2014 Andrew Skelton, an internal auditor at Morrisons, posted online the names, addresses, bank account details, national insurance numbers and salaries of more than 100,000 employees. At his trial, the court heard how he had held a grudge against the retailer after it accused him of dealing drugs at work. He was subsequently jailed for eight years.

More than 5,000 claimants are seeking compensation in the case which Morrisons is trying to reverse. JMW Solicitors, which is representing the claimants, said the supermarket is attempting to deny the claimants compensation, but Morrisons has said the High Court judge previously ruled the retailer was “not at fault”.

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, said: “This is a classic David and Goliath case – the victims here are shelf stackers, check-out staff and factory workers; just ordinary people doing their jobs.

“They were obligated to hand over sensitive financial and personal information to Morrisons… and had every right to expect that information to be kept confidential.

“Instead of recognising the impact on its employees, of what was a very serious data breach, Morrisons now seeks to avoid legal responsibility and protect its £374m annual profits – and despite the receipt of its own compensation to the tune of £170,000.”

McAleenan added that Mr Justice Langstaff’s finding of liability provided reassurance to the many millions of people in this country whose own data is held by their employer. “‘Insiders’ are responsible for the vast majority of data breaches, so this case is particularly important,” he said.

“It cannot be right that there is no legal recourse where employee information has been handed to one of the largest companies in the UK and then leaked on such a large scale, in such circumstances.

“It was at Morrisons’ head office, in Morrisons’ time and using Morrisons’ equipment that Andrew Skelton made his copy of the claimants’ confidential payroll information. The claimants say that it is only right that Morrisons be held legally responsible for the harm caused, which arose from Skelton’s employment by Morrisons.”

If the Court upholds the ruling of vicarious liability, there will then be a further trial to assess the victims’ damages.

In last year’s High Court judgment, where he granted Morrisons leave to appeal against vicarious liability, Mr Justice Langstaff said: “The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I may seem to render the court an accessory in furthering his criminal aims.”

In a statement Morrisons said: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. A judge previously found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so that’s why we are appealing this judgment.”

8 Responses to Morrisons payroll data breach reaches Court of Appeal

  1. Avatar
    Ken Platten 11 Oct 2018 at 11:43 am #

    Clearly there is a criminal act committed by the disgruntled employee. If Morrisons are held to be vicariously liable in the event of a criminal act can it be said that it was a breach of their duty of care and so be vicariously liable for a criminal act? You have to ask – was it foreseeable? Was it done in the course of employment (possibly) and would it be fair just and equitable to hold Morrison’s liable? In my view none of these factors apply and so to hold Morrison’s liable for a non-foreseeable criminal act would go against the grain. It is more than likely that whatever the CA says the case will go to the Supreme Court.

    • Avatar
      Terry 12 Oct 2018 at 10:36 am #

      Surely this is now a foreseeable risk for all employers. Anyone with access in our increasingly self service environment can access records within their authority and post, making the employer vicariously liable according to this case. How can that be best mitigated?

    • Avatar
      Eugene O'Rourke 22 Oct 2018 at 1:51 pm #

      If morrisons received compensation of Skelton, why would it be wrong for morrisons employees to receive compensation

  2. Avatar
    IanJ 12 Oct 2018 at 11:32 am #

    I’d disagree.
    The question of forreseeable must question how did the data get accessed, retrieved and stored and then uploaded to the internet?
    Could the employer have known the data had been accessed and downloaded, yes if someone was monioring payroll access?
    If Morrisions gave the employee free rein and acess to sensitive data, failed to supervise and monitor the employee tasks and what data was being downloaded, then management and IT processes have clearly failed on their watch to check what was going on!
    The Employer is spending more money trying to dodge accountability, the board should be more ethical, transparent and honest enough to recognise it is fully liable for its own inadequate data protection and invest in better data protection?

  3. Avatar
    David 12 Oct 2018 at 11:56 am #

    With this data exposed on line where is the trust with these companies all personal details exposed. Morrisons should admit its their fault and stand up for this instead of passing the blame this company owes this too all the staff but morrisons never listerns too whats said they should lose this case. Because everyone has to suffer from one person who is a crimminal and morrisons is too blame.

  4. Avatar
    Lesley cartledge 18 Oct 2018 at 1:20 pm #

    Do we know if the case was upheld please.

  5. Avatar
    Ken Platten 1 Jul 2020 at 7:06 pm #

    I told you so!

Leave a Reply