The case dates back to 2014, when Andrew Skelton, an internal auditor at Morrisons posted the names, addresses, bank account details, national insurance numbers and salaries of more than 100,000 employees online. He was jailed for eight years.
In December, the High Court ruled that the supermarket was vicariously liable for the data breach and that employees should receive compensation. More than 5,500 claimants are seeking a payout in the case, even though there has been no indication that anyone has suffered financially from the leak.
The supermarket says it will now take the case to the Supreme Court.
Nick McAleenan, partner at JMW Solicitors, which is representing the claimants, said the judgment was a “wake-up call” for all businesses. “People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information – it’s about protecting people.”
Meanwhile, Richard Hayllar, partner at UK law firm TLT said the judgment indicates that data breaches will become the next big claims theme for businesses, which is likely to also attract claims management company attention.
He added: "The fact that the Court of Appeal has confirmed that Morrisons is vicariously liable for the loss resulting from the criminal actions of a former employee will sound warning bells and have significant ramifications for every business."
Hayllar said that businesses will need to review who has access to data and how it is protected, leading to further investment in data loss prevention and limiting access to data to prevent a breach from happening.
"Data security isn't just about protecting yourself from potential fines and reputational damage. This case has confirmed businesses can face considerable damages for financial and non-financial loss as well – mere distress is sufficient for damages to be paid. The Court of Appeal's decision will push data protection even further up the corporate agenda."
However, Nicola Cain, media and data enforcement and disputes partner at London-based law firm RPC, pointed out that even if businesses have appropriate controls in place, there is very little further they can do to prevent a disgruntled employee from breaking the law and misusing personal data.
She added: "That makes it critical for businesses, particularly those who are data controllers of high volumes of personal data, to take out insurance policies against employee dishonesty and fraud. While any compensation payable to a specific individual is likely to be relatively low, in the hundreds of pounds, the cumulative sums coupled with legal fees could be huge for many businesses."