The Court of Appeal have upheld the decision by the High Court in December 2017 to hold Morrisons vicariously liable for a data leak by a former employee, in which the personal details relating to almost 100,000 members of staff, including names, addresses, salary, and bank details, were posted online, and sent to newspapers. However, Morrisons are to appeal the ruling to the Supreme Court.
Morrisons Are To Appeal To Supreme Court
Whilst employed as a senior internal auditor with Morrisons in 2014, Andrew Skelton, posted the names, addresses, salary details, national insurance numbers, and bank account details, of almost 100,000 staff members online and sent them to various newspapers. He was later convicted of fraud, of securing unauthorised access to computer data, and of disclosing the personal data relating to staff, at Bradford Crown Court, and sentenced to 8 years in prison.
Some of those members of staff who had had their data leaked sued Morrisons in the first ever class action relating to data leaks, claiming compensation for upset and distress. Last November, the High Court found in favour of the Claimant’s, holding Morrisons vicariously liable for the data leak. Morrisons appealed the decision to the Court of Appeal, who have now upheld the ruling. The Court held that: “[Morrisons] submitted that, given that there are 5,518 employees who are claimants in the present case, and the total number of employees whose confidential information was wrongly made public by Mr Skelton was nearly 100,000, this illustrates how enormous a burden a finding of vicarious liability in the present case will place on Morrisons and could place on other innocent employers in future cases. These arguments are unconvincing. As it happens Mr Skelton’s nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally.”
In response to the Court of Appeals ruling, Morrisons are to appeal to the Supreme Court. A spokesperson for the company stated: “A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he’s been found guilty for his crimes. Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss. We believe we should not be held responsible so that’s why we will now appeal to the supreme court.”
Implications Of The Court Of Appeals Ruling
It is a well established principle that employers can be held vicariously liable for the acts and omissions of their employees, including wrongful acts, committed in the course of their employment with their employer. The Court of Appeals ruling confirms that such vicariously liability extends to data leaks. Nevertheless, the Court’s ruling is questionable, as it is hard to see what more that Morrisons could have done to prevent the data leak. Hence, the fact that Morrisons are to appeal to the Supreme Court. However, this ruling, in conjunction with recent changes relating to GDPR, mean that employers cannot be too careful in terms of data protection matters.