Morrisons loses data leak appeal

Supermarket giant Morrisons has lost the latest round in the legal battle for compensation by thousands of its staff whose personal details were leaked on the Internet. The case reached the Court of Appeal on 9 October, and on 22 October Morrisons lost.

The background

The 2014 breach saw Andrew Skelton, a disgruntled senior internal auditor, upload the details of 99,998 staff to data sharing websites. The data included bank account details, salary information, dates of birth, National Insurance numbers, addresses and phone numbers.

The original court hearing heard that Skelton held a “considerable grudge” against Morrisons after he was accused of dealing drugs known as ‘legal highs’ at work. In 2015 he was found guilty of fraud and disclosing personal data and was jailed for eight years.

Morrisons spent more than £2 million tackling the breach. However, the High Court ruled the supermarket was vicariously liable because, despite Skelton’s criminality, he was acting in the course of his employment when he leaked the information online.

Although Morrisons paid out income protection measures, 5,518 former and current employees sought compensation from Morrisons for the upset and distress caused by the risk of identity theft and potential financial loss, claiming that the supermarket was responsible for breaches of privacy, confidence and data protection laws.

The first data leak class action in the UK

Morrisons sought to reverse the December 2017 ruling of what was the UK’s first class action data breach case, saying it could not be held directly or vicariously liable for the criminal misuse of the data, and that any other conclusion would be grossly unjust.

The supermarket said that it would now appeal to the Supreme Court:

Morrisons has not been blamed by the courts for the way it protected colleagues’ data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.

We believe we should not be held responsible, so that’s why we will now appeal to the Supreme Court.

What happens next?

If the hearing at the Court of Appeal had found in Morrisons’ favour, the claimants would have been denied compensation. As it is, a ‘quantum’ trial will now follow to assess how much the victims will receive in compensation.

There is also the further question of whether the 94,480 other employees affected will also seek compensation.

What lessons can organisations learn?

As part of his auditing role, Skelton was required to download and re-upload personal data. However appropriately protected, this treatment of data opens up the possibility of vicarious liability. It’s a risk that no organisation should take.

A more secure option is system-to-system data transfer. Not only do systems typically encrypt data during the transfer process, but permissions-based data access ensures that: only those who are meant to access the data do; there are records of data activity; and there is a reduced risk of loss or misuse as the data won’t be stored inappropriately or insecurely.

Morrisons have stated they will appeal again, so the case still isn’t over, even after four years. We will have to wait and see what happens next.