Supreme Court of UK gives Morrisons the go-ahead for mega data leak liability appeal

Brit supermarket chain WM Morrisons is headed for the Supreme Court to fight an earlier ruling that made it liable for one disgruntled employee dumping the personal details of 100,000 colleagues online.

As we reported back in October, the Court of Appeal upheld an earlier verdict holding the supermarket chain responsible for the actions of IT auditor Andrew Skelton.

Morrisons has now been formally granted permission to appeal against that judgment, meaning the case is definitely on. It will prove a landmark moment in British data protection law whatever the outcome. At the moment, companies can be held responsible ("vicariously liable" in the legal jargon) for actions of their employees, even where those employees are secretly doing things that are downright illegal.

Lord Justices Bean and Flaux, and Master of the Rolls Sir Terence Etheron, the three Court of Appeal judges who turned down Morrisons' last go, ruled that companies could just get insurance if they were worried about the financial consequences of being held liable for things they had no idea were going to happen.

In 2014 Skelton was formally disciplined by Morrisons after being caught using company postal facilities for his own personal mail. Aggrieved at this, he copied payroll data he was handling at work onto a USB stick, dumped the lot on Tor, and then posted CDs of the data to a handful of newspapers. One, the Telegraph and Argus, immediately told Morrisons what it had received instead of publishing it as Skelton had hoped. The cleanup operation cost Morrisons around £2m.

The perp is now serving an eight-year prison sentence handed down in 2015. Under current sentencing laws he can expect to be released from prison this year.

Morrisons is fighting a group litigation (class-action lawsuit, in Americanese) brought by 5,500 of its current and former employees.

Nick McAleenan, a data privacy law specialist at JMW Solicitors, is representing the employees. He said in a statement: "This was a very serious data breach which affected more than 100,000 Morrisons' employees – they were obliged to hand over sensitive personal and financial information and had every right to expect it to remain confidential. Instead, they were caused upset and distress by the copying and uploading of the information.

"While the decision to grant permission for a further appeal is of course disappointing for the claimants, we have every confidence that the right verdict will, once again, be reached – it cannot be right that there should be no legal recourse where employee information is handed in good faith to one of the largest companies in the UK and then leaked on such a large scale."

A Morrisons spokeswoman confirmed to The Register that permission to appeal had been granted earlier this week but declined to comment further. ®