Leading judges are to rule in the latest round of a legal battle for compensation by thousands of supermarket staff whose personal details were posted on the internet.
Three judges in London will announce their decision on Monday on a challenge by supermarket giant Morrisons against a ruling last year on the issue of liability in the first data leak class action in the UK.
Litigation was launched after a security breach in 2014 when Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of around 100,000 employees.
Information included their names, addresses, bank account details and
A group of 5,518 former and current employees said this exposed them to the risk of identity theft and potential financial loss and that Morrisons was responsible for breaches of privacy, confidence and data protection laws.
They are seeking compensation for the upset and distress caused in a case with potential implications for every individual and business in the country.
Morrisons said it could not be held directly or vicariously liable for the criminal misuse of the data, and that any other conclusion would be grossly unjust.
But a High Court judge found in December that vicarious liability had been established.
The company challenged that finding at a recent Court of Appeal hearing before the Master of the Rolls Sir Terence Etherton, Lord Justice Bean and Lord Justice Flaux.
A lawyer representing the company said the challenge was over the ruling that it is “vicariously liable” for the “criminal online disclosure of
significant quantities of payroll data effected by a rogue employee”.
Anya Proops QC said that if the High Court decision was allowed to stand Morrisons was exposed to “compensation claims on a potentially vast scale”.
Ms Proops said that the company, although “entirely blameless”, was potentially exposed to compensation claims not only in respect of the 5,518 but from all of the individuals affected by the criminal disclosure.
She said there was no dispute “that Skelton effected his criminal disclosure as an act of vengeance and specifically in order to damage Morrisons’ interests”.
In a statement issued before the latest proceedings in the litigation, Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who is representing the claimants, described it as a “classic David and Goliath case”.
He said Morrisons was seeking “to reverse the High Court’s findings of
vicarious liability made in the claimants’ favour, thereby denying the claimants any compensation whatsoever for the considerable distress and inconvenience caused by Mr Skelton’s actions”.
He said: “It cannot be right that there is no legal recourse where employee information has been handed to one of the largest companies in the UK and then leaked on such a large scale, in such circumstances.”
In July 2015 Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data and jailed for eight years.