UK supermarket giant Morrisons is in the Court of Appeal this week fighting to have overturned a judgement that it should compensate employees after a major insider data leak.
A High Court judge ruled last year that the company was “vicariously liable” for the actions of one of its employees, former internal auditor Andrew Skelton, who published the personal details of 100,000 employees online and sent them to several newspapers.
The leaked data included NI numbers, birth dates and bank account details, and Skelton was eventually jailed for eight years back in 2015.
Morrisons argued at the time that it had already paid around £2m to mitigate the breach. However, it was also awarded £170,000 in compensation, while employees got nothing.
In the UK’s first class action lawsuit, over 5000 of these employees subsequently took the supermarket chain to court, demanding compensation for the “upset and distress” caused by disgruntled insider Skelton’s actions.
The retailer’s lawyers are arguing this week that their client cannot be held “vicariously liable” because the Data Protection Act 1998 — the legislation in place at the time of the incident — excludes vicarious liability.
Representing the claimants, JMW Solicitors data privacy specialist, Nick McAleenan, argued that Morrisons is looking to protect its £374m annual profits rather than recognize the impact of the breach on its employees.
“This is a classic David and Goliath case — the victims here are shelf-stackers, checkout staff and factory workers; just ordinary people doing their jobs,” he reportedly said.
“They were obligated to hand over sensitive financial and personal information to Morrisons — including national insurance numbers, dates of birth and bank account details — and had every right to expect that information to be kept confidential.”