Morrisons: £55m payout over 2014 'grudge' leak of payroll data 'grossly unjust'
Morrisons tells Supreme Court that it should not be held vicariously liable for payroll data leak by senior IT internal auditor Andrew Skelton
Morrisons has told the Supreme Court in London that it should not be held either directly or vicariously liable for the 2014 payroll data leak of almost 100,000 employees.
The leak was traced to its senior IT internal auditor Andrew Skelton, who held a grudge against the company following a disciplinary hearing over the use of the company's postal facilities for sending his private mail. He was jailed for eight years in 2015 for the data leak, but is due to be released in January.
The supermarket claimed in court that it was 'entirely blameless' for the incident
In a class-action lawsuit brought by around 9,000 of Morrison's 100,000 employees, the High Court and Court of Appeal ruled that the supermarket chain, the fourth-largest in the UK, should be held vicariously liable for the actions of Skelton.
The supermarket claimed in court that it was "entirely blameless" for the incident and that to hold it liable for data breaches by a rogue employees would expose it - and other organisations - to "compensation claims on a potentially vast scale".
Lord Pannick, representing Morrisons, told the Supreme Court that the High Court and Court of Appeal made "errors of law" leading to the wrong conclusion on the issue of liability for the data breach. The main legal argument of the supermarket chain is that the Data Protection Act 1988 - the breach was pre-GDPR - does not extend the concept of vicarious liability to breaches of the Act.
The High Court and Court of Appeal made "errors of law" leading to the wrong conclusion on the issue of liability
The raw facts of the case, according to Supreme Court documents are that "in November 2013… Skelton downloaded payroll data he was entrusted with at work onto a personal USB stick and took it home. In January 2014 he uploaded the data onto a file-sharing website and later sent it to newspapers".
According to court documents from Morrisons' appeal in 2018, "Skelton was annoyed by the disciplinary proceedings and the sanction. They left him with a grudge against Morrisons.
"On 1 November 2013 KPMG, Morrisons' external auditor, requested a number of categories of data from Morrisons in order to undertake the annual audit. That request included a copy of Morrisons' payroll data. Michael Leighton, of the HR department, copied the data onto an encrypted USB stick.
"He took the USB stick personally to Mr Skelton, who downloaded the data from the stick onto his laptop computer, which was itself encrypted. Mr Skelton subsequently copied the data onto another encrypted USB stick, which had been supplied by KPMG, and which he returned to KPMG."
Skelton was annoyed by the disciplinary proceedings and the sanction. They left him with a grudge against Morrisons
Skelton subsequently copied the payroll data onto a personal USB stick and in January posted the file containing the personal details of 99,998 staff onto a file-sharing website.
This personal data included names, addresses, salaries, national insurance numbers, phone numbers and bank account details, including sort codes.
He also wrote an anonymous letter to the local Bradford Telegraph & Argus newspaper purporting to be concerned over the discovery of the leak on the internet. His letter included a link to the file-sharing website where he had uploaded the data.
However, instead of publishing the letter, the newspaper alerted Morrisons.
Skelton was arrested on 19th March 2014 and charged with fraud under the Computer Misuse Act 1990 and section 55 of the Data Protection Act 1988. He was convicted in July 2015.
The class-action lawsuit was kicked off in November 2015. The case is being heard by the Supreme Court this week.