[BreachExchange] Morrisons to launch fresh appeal against breach liability ruling

Destry Winant destry at riskbasedsecurity.com
Wed Apr 17 09:23:51 EDT 2019


https://www.computerweekly.com/news/252461816/Morrisons-to-launch-fresh-appeal-against-breach-liability-ruling

Morrisons has been granted permission to appeal to the Supreme Court
in a second attempt to exonerate itself after being found legally
responsible for a data breach, which affected more than 100,000
employees.

In October 2018, the Court of Appeal upheld a December 2017 High Court
ruling against Morrisons that held the supermarket chain liable for a
data breach in which a former employee posted the personal data of
thousands of workers online in 2014.

The Court of Appeal comprised three senior judges, including the
Master of the Rolls, who refused Morrisons permission to appeal
further.

As a result, Morrisons applied directly to the Supreme Court for
permission to appeal, which has been granted, opening the way for the
supermarket giant to launch a second appeal.

More than 5,500 claimants are seeking compensation from Morrisons over
the significant data leak, which in 2014 saw disgruntled former
employee Andrew Skelton, then a senior internal auditor at the
retailer’s Bradford headquarters, copy and then post staff’s payroll
information on the internet.

The information included bank account details, dates of birth, salary
information, National Insurance numbers, addresses and phone numbers.

Skelton was jailed for eight years in July 2015 following a trial at
Bradford Crown Court, which heard that he sent the information to
newspapers as well as placing it on data-sharing websites.

JMW Solicitors, the legal firm representing the claimants, notes that
Skelton was disgruntled, having received disciplinary action following
serious allegations, but he retained access to sensitive employee
information, and that Morrisons has refused to accept legal
responsibility for his actions.

Nick McAleenan, a partner and data privacy law specialist at JMW
Solicitors said: “While the decision to grant permission for a further
appeal is of course disappointing for the claimants, we have every
confidence that the right verdict will, once again, be reached. It
cannot be right that there should be no legal recourse where employee
information is handed in good faith to one of the largest companies in
the UK and then leaked on such a large scale.

“This was a very serious data breach which affected more than 100,000
Morrisons’ employees. They were obliged to hand over sensitive
personal and financial information and had every right to expect it to
remain confidential. Instead, they were caused upset and distress by
the copying and uploading of the information,” he said.

After losing the first appeal, Morrisons said in a statement that the
company had not been blamed by the courts for the way it protected
employee data.

“But they have found that we are responsible for the actions of that
former employee, even though his criminal actions were targeted at the
company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide
protection for those colleagues and reassure them that they would not
be financially disadvantaged. In fact, we are not aware that anybody
suffered any direct financial loss.

“We believe we should not be held responsible, so that is why we will
now appeal to the Supreme Court.”


More information about the BreachExchange mailing list