Morrisons is appealing a High Court judgement which found that it was vicariously liable for a data breach dating back to 2014.
The case involves a former disgruntled employee who leaked the personal information, including bank details, addresses, dates of birth and National Insurance numbers, of more than 100,000 staff on the internet. Although the individual involved was charged and sentenced to eight years in prison for fraud and disclosing personal information, Morrisons also came under fire for allowing the data breach to occur.
The High Court found last December that although the supermarket was not primarily responsible for the data leak, vicarious liability could be established. As such, the affected employees were eligible for compensation. However, the supermarket has now brought the case to the Court of Appeal.
JMW Solicitors, who are representing more than 5,000 former and current Morrisons staff, said that this was a classic ‘David and Goliath’ case.
“The victims here are shelf stackers, check-out staff and factory workers; just ordinary people doing their jobs,” Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors told Personnel Today.
“They were obligated to hand over sensitive financial and personal information to Morrisons… and had every right to expect that information to be kept confidential.
“Instead of recognising the impact on its employees, of what was a very serious data breach, Morrisons now seeks to avoid legal responsibility and protect its £374m annual profits – and despite the receipt of its own compensation to the tune of £170,000.”
McAleenan argued that, although the data leak was caused by the actions of one rouge individual, it still occurred at Morrisons’ head office, in their time and using their equipment. As such “it is only right that Morrisons be held legally responsible”.
If the Court of Appeal upholds the ruling then a separate trial will be held to assess the level of compensation that should be awarded.
Morrisons previously highlighted that a judge found that the retailer was not at fault in the way that it had protected the data, but it was responsible for the actions of the employee.
In a press statement released in December 2017, when the High Court made its ruling, a spokesperson for supermarket said: “Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.
“The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so that’s why we are appealing this judgment.”
