The Morrisons data leak involved sensitive data from more than 100,000 of the company’s employees.
This represents the first class action law suit involving a data breach in the United Kingdom.
“Vast” Data Leak Compensation
Morrisons released a statement in which it said it plans to appeal a decision made requiring it to pay a “vast” compensation bill for the data breach it experienced several years ago. This most recent ruling against it occurred in the supermarket’s latest appeal in the case. It lost the appeal for a ruling that placed the company partly liable for the data breach.
The case involved a breach in which the sensitive employee details were posted on the web. It occurred in 2014, at which time a senior auditor, Andrew Skelton, at the Morrisons’ Bradford headquarters, leaked the payroll data of approximately 100,000 people working for the company.
Skelton posted the names, addresses, salaries, and bank account details online, sending them to newspapers. In 2015, Skelton was sentenced to eight years in jail for his crime.
Among the affected workers, 5,518 joined a class action lawsuit, seeking compensation for the distress they experienced as a result of the data breach involving their sensitive information. The employees argued that this data breached exposed them to potential financial loss and identity theft.
They accused Morrisons of being responsible for breaches of confidence, privacy, and data protection laws. That said, Morrisons argued that it was not vicariously liable for any criminal misuse of the data involved in the breach Skelton caused.
The High Court’s Ruling
In December 2017, the High Court made its ruling in favor of the employees in the class action suit. That said, Morrisons then brought the case to the Court of Appeal. Monday, the appeal court judges upheld the lower court’s previous ruling. Those judges stated that the supermarket chain was “vicariously liable for the torts committed by Mr Skelton against the claimants.”
JMW Solicitors partner, Nick McAleenan, who represented the employees in the case, stated that the judgment should be considered a “wake-up call for business”. Moreover, he stated that the case would also offer “reassurance to the many millions of people in this country whose own data is held by their employer.”