Morrisons loses at High Court

The supermarket Morrisons has failed in its challenge to the High Court that it be held liable for a security breach that saw the personal information of thousands of its staff posted online. The case, the first data-leak class action in the UK, follows the events of 2014 when Andrew Skelton, then a senior internal auditor, sent the personal details – including names, addresses, salary and bank details – of almost 100,000 Morrisons employees to newspapers.

Skelton was jailed for eight years in 2015 for the crimes of fraud, securing unauthorised access to computer material and disclosing personal data. More than 5,000 employees claimed compensation for the distress caused, arguing that they’d been exposed to possible identity theft and financial loss, and that Morrisons was responsible for breaches of privacy, confidence and data protection laws.

The High Court rejected Morrisons’ argument that it couldn’t be held liable for the criminal misuse of its data, ruling that the supermarket was “vicariously liable for the torts [harm done] committed by Mr Skelton against the claimants”.

Morrisons insists it worked to get the data removed quickly, to provide protection for the affected staff, and to reassure them they wouldn’t be financially disadvantaged. The supermarket also says it’s not aware of anyone having suffered “direct financial loss” as a result of Skelton’s crimes. The company says it will appeal to the Supreme Court.

Legal opinion

This is a wake-up call for businesses to the reality of data-handling in today’s society, even if this case started before the introduction of GDPR. Our advice is to ensure your business has a data-handling policy in place, that it is correctly adhered to and that it includes full staff training, regular refreshers, and frequent checks to see if any changes need making to the policy. Data-handling policies can never be watertight – a rogue employee who sets out to damage an employer can’t always be prevented by a policy, but at least it will help show that the company did everything it could to keep employee data safe.

Many businesses will find this High Court decision severe, even unfair. We’re now keen to see the Supreme Court’s take on things.