weerapat1003 - stock.adobe.com

Morrisons in new appeal over data breach fine

The Supreme Court has heard an appeal from retailer Morrisons as it attempts to overturn prior judgments holding it liable for a 2014 leak of employee data

Supermarket chain Morrisons has made a new attempt to overturn prior court judgments that found it liable for a major breach of internal data, and to fend off a lawsuit from more than 9,000 victims.

As before, the claimants in the lawsuit – who have grown in number since the previous cases – were represented by Manchester-based JMW Solicitors alongside 5RB Barristers.

Nick McAleenan, partner and data privacy specialist at JMW Solicitors, said: “This will be Morrisons’ second attempt to exonerate itself after being found legally responsible by the High Court and the Court of Appeal for a large-scale data breach, which affected tens of thousands of its staff.

“The senior justices of the Supreme Court, including the president of the Supreme Court, Lady Hale, will now hear Morrisons’ appeal.”

The 2014 breach saw personal information – including the bank account, salary and National Insurance details of 100,000 members of the supermarket’s workforce – posted to a file-sharing website by a former staff member, Andrew Skelton.

Skelton, who worked as a senior internal IT auditor at the retailer, was disgruntled after having been internally disciplined for unauthorised use of the firm’s internal mail systems for private purposes. He is currently serving an eight-year prison sentence and is currently set for release in early 2020.

The success of the appeal will hinge on the Supreme Court’s decision as to whether or not the 1998 Data Protection Act excludes the application of vicarious liability to a breach of the act, or for misuse of private information or breach of confidence. It will also look at whether or not the Court of Appeal erred in coming to the conclusion that the disclosure of data by Skelton occurred during the course of his employment, for which Morrisons should be held vicariously liable.

Morrisons, which was represented at the hearings on 6 and 7 November by Lord Pannick, has argued that the High Court and Court of Appeal both made a mistake when it came to determining liability, and because Skelton’s job description was not to leak data, the breach did not actually occur during the course of his employment and therefore Morrisons should not be held liable.

“This is a remarkable case because…the employee’s purpose here was specifically to damage this employer. It is true…there were other victims, but they were not the targets and it would be striking indeed if an employer is vicariously liable for wrongful acts specifically aimed at that employer when the judge has rejected all criticisms of Morrisons for hiring that person and trusting him,” said Pannick at the conclusion of the 7 November morning hearing.

“At this point, can Morrisons really be vicariously liable for the acts of a rogue employee specifically directed at Morrisons?” he said.

Morrisons had previously pointed out that it worked to get the leaked data removed as soon as possible, provided protection for protected employees, and gave them reassurances that they would see no financial disadvantage from the breach.

As of April 2019, it said it had no evidence that anybody had suffered any direct financial loss arising from Skelton’s actions.

Read more about data protection

  • See if a converged backup product will meet your needs by exploring the features you should consider before investing in this relatively new kind of data protection platform.
  • Modern cars contain advanced technologies and personal data susceptible to security breaches. To protect customer data, car manufacturers must implement built-in security measures beforehand.
  • Data protection suppliers are continuing to add more data management features in their products. How does this convergence affect multi-cloud environments?

Read more on Data breach incident management and recovery

Data Center
Data Management