Morrisons Set To Launch Appeal Against Landmark Data Breach Ruling


Morrisons, the supermarket giant, is set to launch an appeal tomorrow against the decision of the High Court to render it vicariously liable for a data breach that affected more than 100,000 employees.

Last December, the supermarket chain was deemed to be legally responsible for the said breach. The breach was carried out by Andrew Skelton, one of its former employees.

Skelton is a former senior internal auditor at the Bradford headquarters of Morrisons. He posted sensitive information regarding his colleagues on the internet. It included their dates of birth, bank account details, National Insurance numbers, salary information, phone numbers, and addresses.

Skelton was imprisoned for eight years for the said incident. The court said that he carried out against his employer as an act of vengeance.

More than 5,000 claimants who were represented by JMW Solicitors, a law firm, are seeking compensation from Morrisons because of the breach, in what is considered as the first data-leak class action in the United Kingdom.

The lawyers of the claimants argue that in attempting to reverse the finding of vicarious liability – whereby a firm is deemed to be responsible for the tortious acts of its employer – Morrisons is refusing to hand out compensation to the victims.

Nick McAleenan of JMW stated: “This is a classic David and Goliath case – the victims here are shelf stackers, checkout staff and factory workers; just ordinary people doing their jobs. They were obligated to hand over sensitive financial and personal information to Morrisons – including National Insurance numbers, dates of birth and bank account details – and had every right to expect that information to be kept confidential.”

He added: “Instead of recognising the impact on its employees, of what was a very serious data breach, Morrisons now seeks to avoid legal responsibility and protect its £374m annual profits and despite the receipt of its own compensation to the tune of £170,000. It seeks to reverse the High Court’s findings of vicarious liability made in the claimants’ favour, thereby denying the claimants any compensation whatsoever for the considerable distress and inconvenience caused by Mr Skelton’s actions.”

Last year, during the High Court hearing, judge Justice Langstaff granted Morrisons permission to file an appeal against the case, which the company is now doing in the Court of Appeal. He did this on the grounds that he was “troubled” that his findings may have rendered the court to be “an accessory in furthering his [Skelton’s] criminal aims.”

A Morrisons spokesperson stated: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. A judge previously found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.”

He added: “Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so that’s why we are appealing this judgment.”