Supermarket vicariously liable for employee breach
Supermarket giant WM Morrison has lost its appeal against a ruling that it is liable for an intentional data breach by an employee, in the first class action data breach case.
In 2014, the supermarket’s disgruntled internal auditor, Andrew Skelton, posted bank account details, salary information, national insurance numbers, addresses and phone numbers of 100,000 employees to data sharing websites. Skelton was sentenced to eight years in prison and Morrison was held vicariously liable for his actions.
Ruling in WM Morrison Supermarkets v Various claimants [2018] EWCA Civ 2339, the Court of Appeal unanimously held the supermarket giant liable to the 5,518 claimants who sought compensation. Morrisons has been refused permission to appeal to the Supreme Court.
Nick McAleenan, partner at JMW Solicitors, who represented the claimants, said: ‘They were obliged to hand over sensitive personal information and had every right to expect it to remain confidential, but a copy was made and it was uploaded to the internet and they were put at risk of fraud, identity theft and a host of other problems. ‘Unsurprisingly, this caused a huge amount of worry, stress and inconvenience. The judgment is a wake-up call for business.’
Nicola Cain, partner at RPC, said: ‘The Court of Appeal’s decision in the Morrisons case is a stark warning to all businesses that they can end up facing huge data breach compensation claims despite doing nothing wrong at all.
‘The High Court specifically made the point that Morrisons met its legal obligations to protect its employees’ personal data. It was as much a victim in this case as those who had their data breached.’