The High Court has allowed a compensation claim by thousands of Morrisons staff whose personal details were posted on the internet by a disgruntled employee.
READ MORE - RBS to close 40% of its branches in Scotland
The case has potential implications for every individual and business in the country.
It follows a security breach in 2014 when Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of nearly 100,000 employees - including their names, addresses, bank account details and salaries - putting it online and sending it to newspapers
A group of 5,518 former and current Morrisons employees said this exposed them to the risk of identity theft and potential financial loss and that Morrisons was responsible for breaches of privacy, confidence and data protection laws.
They are seeking compensation for the upset and distress caused.
Morrisons said it could not be held directly or vicariously liable for Skelton’s criminal misuse of the data and any other conclusion would be grossly unjust.
Following Mr Justice Langstaff’s decision on liability on Friday, Nick McAleenan, of JMW Solicitors, said: “The High Court has ruled that Morrisons was legally responsible for the data leak.
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.”
The judge ruled that vicarious liability, but not primary liability, had been established.
He said: “I hold that the Data Protection Act (DPA) does not impose primary liability upon Morrisons; that Morrisons have not been proved to be at fault by breaking any of the data protection principles, save in one respect which was not causative of any loss; and that neither primary liability for misuse of private information nor breach of confidentiality can be established.
“I reject, however, the arguments that the DPA upon a proper interpretation is such that no vicarious liability can be established, and that its terms are such as to exclude vicarious liability even in respect of actions for misuse of private information or breach of confidentiality.”
He added: “The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.
“I grant leave to Morrisons to appeal my conclusion as to vicarious liability, should they wish to do so, so that a higher court may consider it, but would not, without further persuasion, grant permission to cross-appeal my conclusions as to primary liability.”
Mr McAleenan said: “Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.
“In the Morrisons case, almost 100,000 bank account details, National Insurance numbers and other data was entrusted to a fellow employee to look after. Instead, however, he uploaded the information to the internet.
“This private information belonged to my clients. They are Morrisons checkout staff, shelf stackers, factory workers - ordinary people doing their jobs.
“The consequences of this data leak were serious. It created significant worry, stress and inconvenience for my clients.”
In July 2015 Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data and jailed for eight years.
The trial heard that his motive appeared to have been a grudge over a previous incident where he was accused of dealing in legal highs at work.
Counsel Jonathan Barnes said the company had already been awarded £170,000 compensation against Skelton, and his other “victims” should be compensated too.
Anya Proops QC, for Morrisons, said Skelton had already caused serious damage to the firm, not least because it incurred more than £2 million in costs in responding to the misuse
If the claim succeeded, it would open the door to the other 94,480 individuals affected.
Ms Proops said it had not been established that Morrisons fell short when it came to data security, and Skelton’s criminal disclosures could not be said to have been effected in the “course of his employment”, so there could be no vicarious liability.
“The imposition of vicarious liability in this case would otherwise result in the untenable situation where the court was effectively realising Skelton’s criminal objective of damaging Morrisons’ interests in the most absolute fashion, and otherwise exposing Morrisons to a compensation burden of a grossly disproportionate order.”
Ms Proops said the novel issue of the extent to which a data controller/employer could be held liable under civil law in connection with the unauthorised, criminal misuse of third party data by an employee was of “huge importance” for all those who process personal data as a “data controller”.
“This would obviously include not only commercial enterprises but also charities, governmental bodies, self-employed professionals, clubs, associations, non-governmental organisations and all manner of entities and persons who process data other than for domestic purposes.”