[BreachExchange] Thousands of Morrisons workers could get a payout for 'upset and distress' after personal details were posted on the internet

Sat Dec 2 23:22:06 EST 2017

http://www.manchestereveningnews.co.uk/news/greater-manchester-news/morrisons-high-court-leaked-details-13979640

Supermarket giant Morrisons has been found liable for a huge data leak
in a landmark case that could lead to payouts for thousands of
workers.

The High Court has allowed a compensation claim by thousands of staff
whose personal details were posted on the internet.

The case has potential implications for every individual and business
in the country.

It follows a security breach in 2014 when Andrew Skelton, a senior
internal auditor at the retailer's Bradford headquarters, leaked the
payroll data of nearly 100,000 employees - including their names,
addresses, bank account details and salaries - putting it online and
sending it to newspapers

A group of 5,518 former and current Morrisons employees said this
exposed them to the risk of identity theft and potential financial
loss and that Morrisons was responsible for breaches of privacy,
confidence and data protection laws.

They are seeking compensation for the upset and distress caused.

Morrisons said it could not be held directly or vicariously liable for
Skelton's criminal misuse of the data and any other conclusion would
be grossly unjust.

Following Mr Justice Langstaff's decision on liability on Friday, Nick
McAleenan, of JMW Solicitors, said: "The High Court has ruled that
Morrisons was legally responsible for the data leak.

"We welcome the judgment and believe that it is a landmark decision,
being the first data leak class action in the UK."

It follows a security breach in 2014 when Andrew Skelton, a senior
internal auditor at the retailer's Bradford headquarters, leaked the
payroll data of nearly 100,000 employees, including names, addresses,
bank account details and salaries, putting it online and sending it to
newspapers.

In July 2015 he was found guilty at Bradford Crown Court of fraud,
securing unauthorised access to computer material and disclosing
personal data, and jailed for eight years.

His motive appeared to have been a grudge over a previous incident
when he was accused of dealing in legal highs at work.

In October, Jonathan Barnes, counsel for 5,518 former and current
Morrisons employees, told Mr Justice Langstaff - who will give his
decision on liability on Friday - that the company had already been
awarded £170,000 compensation against Skelton.

He said the employees should also be compensated for the upset and
distress caused by the alleged failure to keep their information safe.

They claim the leak exposed them to the risk of identity theft and
potential financial loss and that Morrisons is responsible for
breaches of privacy, confidence and data protection laws.

Anya Proops QC, for Morrisons, said Skelton had already caused serious
damage to the firm, not least because it incurred more than £2 million
in costs in responding to the misuse

If this claim succeeded, it would open the door to the other 94,480
individuals affected.

It was clear, she argued, that the company could not be held directly
or vicariously liable for Skelton's criminal misuse of the data.

"Any other conclusion not only offends against basic legal principles
but would also be grossly unjust and indeed perverse in all the
circumstances."

She added that the claimants had failed to establish that Morrisons
fell short when it came to data security, and Skelton's criminal
disclosures could not be said to have been effected in the "course of
his employment", so there could be no vicarious liability.

"The imposition of vicarious liability in this case would otherwise
result in the untenable situation where the court was effectively
realising Skelton's criminal objective of damaging Morrisons'
interests in the most absolute fashion, and otherwise exposing
Morrisons to a compensation burden of a grossly disproportionate
order."