Morrisons to launch fresh appeal against breach liability ruling

Morrisons has been granted permission to appeal to the Supreme Court in a second attempt to exonerate itself after being found legally responsible for a data breach, which affected more than 100,000 employees.

In October 2018, the Court of Appeal upheld a December 2017 High Court ruling against Morrisons that held the supermarket chain liable for a data breach in which a former employee posted the personal data of thousands of workers online in 2014.

The Court of Appeal comprised three senior judges, including the Master of the Rolls, who refused Morrisons permission to appeal further.

As a result, Morrisons applied directly to the Supreme Court for permission to appeal, which has been granted, opening the way for the supermarket giant to launch a second appeal.

More than 5,500 claimants are seeking compensation from Morrisons over the significant data leak, which in 2014 saw disgruntled former employee Andrew Skelton, then a senior internal auditor at the retailer’s Bradford headquarters, copy and then post staff’s payroll information on the internet.

The information included bank account details, dates of birth, salary information, National Insurance numbers, addresses and phone numbers.

Skelton was jailed for eight years in July 2015 following a trial at Bradford Crown Court, which heard that he sent the information to newspapers as well as placing it on data-sharing websites.

JMW Solicitors, the legal firm representing the claimants, notes that Skelton was disgruntled, having received disciplinary action following serious allegations, but he retained access to sensitive employee information, and that Morrisons has refused to accept legal responsibility for his actions.  

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors said: “While the decision to grant permission for a further appeal is of course disappointing for the claimants, we have every confidence that the right verdict will, once again, be reached. It cannot be right that there should be no legal recourse where employee information is handed in good faith to one of the largest companies in the UK and then leaked on such a large scale.

“This was a very serious data breach which affected more than 100,000 Morrisons’ employees. They were obliged to hand over sensitive personal and financial information and had every right to expect it to remain confidential. Instead, they were caused upset and distress by the copying and uploading of the information,” he said.

After losing the first appeal, Morrisons said in a statement that the company had not been blamed by the courts for the way it protected employee data.

“But they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.

“We believe we should not be held responsible, so that is why we will now appeal to the Supreme Court.”