Morrisons 430

The High Court has ruled that retailer Morrisons is legally responsible for a payroll data leak committed by a former employee.

The two-week High Court trial, which commenced on Monday 9 October 2017, was a class action lawsuit brought by 5,518 current and former Morrisons employees, seeking compensation after a payroll data leak in 2014 led to nearly 100,000 employees’ personal information being posted on the internet. This included staff members’ bank details, salary, national insurance information, addresses and phone numbers.

The case, which was the first data leak class action case in the UK, was intended to determine whether Morrisons was liable for the data leak. The claimants argued that the retailer failed to prevent the leak, therefore exposing staff to the risk of identity theft and potential financial losses. The claimants also alleged that Morrisons was ultimately legally responsible for breaches of privacy, confidence and data protection laws. In the proceedings, Morrisons denied all legal liability in this instance.

The High Court found that primary liability for misuse of private information and breach of confidentiality could not be established under the Data Protection Act 1998, however it ruled that secondary (vicarious) liability could be established, relating to existing case law. In this case, this refers to when a lone employee commits a breach of statutory obligations while acting in the course of employment.

A future court hearing will be scheduled to determine what compensation Morrisons must pay to the claimants.

Morrisons has been granted permission to appeal the High Court decision.

The lawsuit originated from the conviction of Andrew Skelton, a former senior internal auditor at Morrisons. At Skelton’s 2015 trial, Bradford Crown Court heard that the former employee held a grudge against the organisation after he received disciplinary action for using Morrisons’ mail room to operate an eBay business. He, therefore, leaked employees’ personal data online, also alerting newspapers and websites. Skelton was jailed for eight years for fraud, securing unauthorised access to computer material and disclosing personal data.

At the time of the incident, Morrisons removed published personal information and offered identity theft protection and compensation to anyone who suffered fraud as a result of the leak. Morrisons incurred costs of £2 million due to the fall out.

The Honourable Mr Justice Langstaff, who ruled over the proceedings, said: “Morrisons did not directly misuse any information personal to the data subjects. Nor did [it] authorise its misuse, nor permit it by any carelessness on [its] part. If Morrisons [is] liable it must be vicariously or not at all.

“I reject the arguments that the [Data Protection Act] upon a proper interpretation is such that no vicarious liability can be established, and that its terms are such as to exclude vicarious liability even in respect of actions for misuse of private information or breach of confidentiality. Having rejected them, I hold that, applying Mohamud principles, secondary (vicarious) liability is established.

“The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims. I grant leave to Morrisons to appeal my conclusion as to vicarious liability, should [it] wish to do so, so that a higher court may consider it: but would not, without further persuasion, grant permission to cross-appeal my conclusions as to primary liability.”

Nick McAleenan, partner and data privacy law specialists at JMW Solicitors, which represented the claimants, added: “The High Court has ruled that Morrisons was legally responsible for the data leak. We welcome the judgement and believe that it is a landmark decision, being the first data leak class action in the UK.

“Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure. In the Morrisons case, almost 100,000 bank account details, national insurance numbers and other data was entrusted to a fellow employee to look after. Instead, however, he uploaded the information to the internet. This private information belonged to my clients. They are Morrisons’ checkout staff, shelf stackers, factory workers, ordinary people doing their jobs.

“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients. Data breaches are not trivial or inconsequential matter. They have real victims. At its heart, the law is not about protecting data or information, it is about protecting people.”

Andrew Moir, global head of cybersecurity at law firm Herbert Smith Freehills, said: "The case is significant because it is the first successful class action in the UK arising from a data breach, and establishes the principle that [organisations] can be vicariously liable for ‘inside-jobs’ perpetrated by their employees. This is in addition to any primary liability if [organisations] fail to look after their customers' data.

"It also paves the way for those affected by data breaches to claim damages for any distress caused, even if they have not suffered any financial loss as a result of the breach. Given the regularity and scale of the data breaches we're now seeing and the millions of customers affected, even if the amount each customer receives is small, the amounts involved will very quickly add up. We are now much more likely to see such cases being brought off the back of data breaches."

Antonis Patrikios, head of cybersecurity at Fieldfisher, added: "Organisations are already concerned about the regulatory fines and potential impact on their reputation data breaches can have, but this case shows the real potential harm from civil claims for data breaches by those affected. In the UK and the EU [European Union], this is a new area of risk for most organisations. It is likely to be a game changer.

"This case emphasises the increasing tendency towards class actions in the field of data protection, and more of these are likely because the new EU data protection law, the General Data Protection Regulation (GDPR), makes it easier for individuals to bring claims. At the same time, certain law firms become more experienced at representing mass claimants against [organisations].

"What is key to remember is that despite this breach being from within their own [organisation] from a trusted employee, even when the [organisation] is the victim of criminal activity, the responsibility for keeping personal data secure and confidential still lies with the organisation that decides how the data should be used, such as Morrisons in this case. The key questions for organisations are: are we taking appropriate steps to protect the data and are we appropriately prepared to respond to incidents that put the data at risk?”