Morrisons vicariously liable for employee’s data breach
Matt Cardy/Getty Images
Several thousand supermarket staff have won a ruling that they may claim compensation after an employee leaked their personal details on the internet.
In a ruling with implications for every individual and business in the country, the High Court said that the supermarket chain Morrisons was vicariously liable for the actions of Andrew Skelton, who leaked the payroll data of nearly 100,000 employees. It is the first successful class action for a data breach in the UK.
In 2014 Skelton, a senior auditor at the retailer’s Bradford headquarters, released the names, addresses, bank account details, salaries and national insurance numbers of the employees, putting them online and sending them to newspapers. In 2015, Skelton was jailed for eight years on three charges of fraud. The data breach cost the company more than £2 million in professional and legal fees to rectify.
A group of 5,518 former and current Morrisons employees lodged a claim for compensation for the upset and distress caused. They said that the leak exposed them to the risk of identity theft and potential financial loss and that Morrisons was responsible for breaches of privacy, confidence and data protection laws.
Morrisons said that it could not be held directly or vicariously liable for Skelton’s criminal misuse of the data and any other conclusion would be grossly unjust. But on Friday Mr Justice Langstaff ruled that Morrisons was legally responsible for the data leak even though it was not directly to blame. He held “that the Data Protection Act does not impose primary liability upon Morrisons, that Morrisons have not been proved to be at fault by breaking any of the data protection principles”, other than in one respect that did not cause loss. However, the judge rejected the argument that “no vicarious liability can be established”.
He granted Morrisons leave to appeal and there will be a future hearing to determine what compensation Morrisons must pay.
Nick McAleenan, a partner at Manchester law JMW Solicitors, which acted for the claimants said: “We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.”
Anya Proops, QC, of 11KBW chambers in the Temple, appeared for Morrisons, and told the court that Skelton had already caused serious damage to the supermarket chain, not least because of its costs in responding to the misuse. If the claim succeeded, she said, it would open the door to the other 94,480 individuals affected.
Andrew Moir, a partner at City of London law firm Herbert Smith Freehills, predicted that many similar cases would be brought over data breaches. “Given the regularity and scale of the data breaches we’re now seeing and the millions of customers affected,” he said, “even if the amount each customer receives is small the amounts involved will very quickly add up.”