Morrisons found liable for data leak
Supermarket Morrisons has been found liable for the actions of a former member of its staff who stole the data of thousands of employees and posted it online.
More than 5,500 staff brought a claim against the company after internal auditor Andrew Skelton stole the data, including salary, National Insurance and bank details, of nearly 100,000 staff.
The High Court ruling allows the claimants, 1,000 of whom are in Yorkshire, to seek compensation from the supermarket over the breach of data security in 2014. The case is the first data leak class action in the UK.
Skelton was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud.
Lawyers said the data theft meant a group of 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.
At the High Court hearing sitting in Leeds, the judge, Mr Justice Langstaff, ruled that Morrisons was vicariously liable, adding that primary liability had not been established.
Commenting on today’s decision, Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represents the claimants, hailed it as a landmark case.
He said: “The High Court has ruled that Morrisons was legally responsible for the data leak. We welcome the judgement and believe that it is a landmark decision, being the first data leak class action in the UK.
“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.”
Morrisons has been granted leave to appeal against the decision. After the hearing, a Morrisons spokesperson said:“A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes.
“The judge found that Morrisons was not at fault in the way it protected colleagues’ data but he did find that the law holds us responsible for the actions of that former employee, whose criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. The judge said he was troubled that the crimes were aimed at Morrisons, an innocent party, and yet the court itself was becoming an accessory in furthering the aim of the crimes, to harm the company. We believe we should not be held responsible so we will be appealing this judgement.”
