UK Info Commish quietly urged court to swat away 100k Morrisons data breach sueball
Supermarket says it's innocent and we don't need more than that, ICO told judges
The UK's Information Commissioner urged the Court of Appeal to side with Morrisons in the supermarket’s battle to avoid liability for the theft and leaking of nearly 100,000 employees’ payroll details – despite not having read the employees’ legal arguments.
A letter (PDF) sent to the Court of Appeal in May 2018 on behalf of the watchdog's leader, Elizabeth Denham, urged senior judges to side with Morrisons and rule the supermarket wasn’t responsible for the criminal actions of disgruntled auditor Andrew Skelton.
Crucially, the letter – written by an Information Commissioner’s Office solicitor on Denham’s behalf – admitted the ICO had only seen one side of the detailed legal arguments, months before the case was heard by judges. Those same judges later ruled against Morrisons, effectively dismissing the Information Commissioner's letter.
Skelton, an auditor for the supermarket chain, had authorised access to its entire payroll while KPMG was auditing the company accounts. He took a secret copy for himself and later dumped nearly 100,000 people’s data online, having tried to cover his tracks by using Tor. Around 9,000 workers (the number is growing) aggrieved by the breach sued Morrisons, saying it was vicariously liable for Skelton’s behaviour – and should pay them compensation.
Although the case refers mostly to the pre-GDPR Data Protection Act 1998, the legal principles that will be stated in the Supreme Court's ultimate judgment will have a lasting effect on how British data protection law is applied to businesses.
Sent four months before the October 2018 Court of Appeal hearings, the Information Commissioner’s letter said “she is in agreement with the position adopted by the Appellant [i.e. Morrisons] for the reasons set out in its skeleton argument.”
Morrisons’ legal reasons for arguing it shouldn’t pay compensation for the data breach were reported here. In brief, barrister Anya Proops QC said Morrisons was “completely innocent in respect of this data event” and the Data Protection Act 1998 meant Morrisons could not be held directly or vicariously liable for the actions of its rogue auditor.
Half the story
Essentially, Information Commissioner Denham was urging the court to side against the thousands of workers whose data was stolen and dumped online. Not only that, but she was doing so having only seen Morrisons’ legal arguments, as lawyers for the workers told the Supreme Court last week in written submissions:
The ICO’s support for Morrisons in the Court of Appeal by its letter of 8 May 2018 is more notable for what it does not say. The ICO did not have the Claimants' Respondents' Skeleton Argument for the Court of Appeal (which with diffidence the Claimants would contend contained the substantial bases upon which the appeal was dismissed). Nor did the ICO consult with the Claimants' advisers as to their position in relation to the various arguments at that stage raised by Morrisons.
Denham's letter can be read in full here.
Ultimately the Court of Appeal ruled against Morrisons, finding that the supermarket was vicariously liable for Skelton’s actions. The case has since been appealed again to the Supreme Court, whose judges are pondering their ruling at the moment.
The Information Commissioner's Office did not respond to The Register's invitation to comment on the letter or its intervention into the case. ®