Supreme Court grants permission to appeal in mass data breach case
The Supreme Court has granted the defendant supermarket chain permission to appeal the Court of Appeal's decision in WM Morrison Supermarkets Plc v Various Claimants  EWCA Civ 2339. The appeal will consider the principle of vicarious liability in respect of statutory data protection claims and common law misuse of private information claims.
The claim is being brought under a Group Litigation Order by 5,518 of 999,998 of Morrison's employees affected by a data breach in 2014. In January 2014, Andrew Skelton, an apparently disgruntled employee of the supermarket posted a file containing the personal data (including salaries, bank details, and National Insurance numbers) of 99,998 Morrisons’ employees on a file-sharing website. It seems his intention was to cause mass-scale damage to the supermarket. In March 2014, a CD containing the data was sent to three UK newspapers, one of whom alerted Morrisons. At first instance, the High Court found that Morrisons was not directly liable for Mr Skelton’s wrongdoing, but was vicariously liable (Various Claimants v Wm Morrisons Supermarket PLC  EWHC 3113 (QB)). Our blog on the first instance decision can be found here.
In October 2018, the Court of Appeal dismissed an appeal by Morrisons (Various Claimants v WM Morrison Supermarkets PLC  EWCA Civ 2339), ruling that the supermarket was still liable notwithstanding that the employee was acting in bad faith. Our blog on the Court of Appeal's decision can be found here.
In granting permission to appeal, the Supreme Court has determined that there is an arguable point of law of general public importance. At the present time, it is not known when the appeal will be listed.
If you have been a victim of a data breach and wish to take legal action click here to see how our specialist privacy solicitors can assist.
Articles are intended as an introduction to the topic and do not constitute legal advice.