Morrisons is defending itself in the first data protection/data leak class action in the UK; the first case of its kind but not the last. On Monday, three senior High Court Judges rejected Morrisons’ appeal against the High Court’s December 2017 ruling that the supermarket was “vicariously liable” for their employees criminal actions. The appeal was rejected on the grounds that Morrisons had second-hand liability for the misuse of private and confidential data of employees by a co-employee.

What Happened?

Morrisons suffered its first blow in 2014 when their senior internal auditor, Andrew Skelton, now imprisoned, leaked the payroll data of its employees. Past and present employees were enraged when their confidential data including names, addresses, bank account details and salaries were posted online. Mr Skelton also sent breached data to newspapers. He was imprisoned for five years in 2015 but the saga for Morrisons has long continued. A class action was brought against Morrisons by its enraged employees. Morrisons claims to have taken the data down immediately and provided reassurance to their employees that they would not suffer any financial loss as a result of the leaked data. Whether you think that Morrisons’ reaction to their data breach was adequate or not, the judgment has been ruled against them.

The Reality

Cyber security threats are a harsh reality for many businesses and this could happen to your business. If there is anything to be learnt from Morrisons, it is that businesses should be extra vigilant with their data. Hackers are not always hooded, organised, IT savvy criminals. That is not to say Morrisons had inadequate data protection policies in place or inadequate cyber security. Morrisons may have just been unlucky in this instance, however in law, the odds have so far been against them. It is virtually impossible to protect you or your business from unpredictable behaviours of staff, but there are some measures you can put in place to prevent a data breach. Ask yourself the following:
  • Where are your clients’; suppliers’ and employees, past and present data stored?
  • Who has access to this data?
  • Are you holding information unnecessarily therefore putting your business at unnecessary risk? (The key here is to delete data that has no business relevance.)
  • Do you have the necessary cyber security in place to prevent both an internal and external data breach?
Should you suffer from a data breach or a cyber security threat, seek legal advice immediately. There are reactive measures to put in place which can put a stop to the entity threatening your business and its data. Advice may also be provided to you for the parties you owe a duty of care to and who may suffer as a result of that breach. Morrisons has filed for a further appeal with the Supreme Court and awaits a decision…
Griffin Law is a dispute resolution firm comprising innovative, proactive, tenacious and commercially-minded lawyers. We pride ourselves on our close client relationships, which are uniquely enhanced by our transparent fee guarantee and a commitment to share the risks of litigation.  If you have any specific questions regarding a dispute, please email or call 01732 52 59 23.


Edited by Narinder Hothi, Solicitor