The supermarket chain lost an appeal against a ruling that found it partly liable for the data breach, which saw sensitive details about staff posted on the web.
The case goes back to 2014, when a senior auditor at the supermarket’s Bradford headquarters, Andrew Skelton, leaked the payroll data of around 100,000 employees.
He posted the workers’ names, addresses, bank account details and salaries online and sent them to newspapers.
Skelton was jailed in 2015 for eight years.
Some 5,518 of those employees went to court, seeking compensation for the distress caused and arguing that the breach had exposed them to possible identity theft and financial loss.
They said that Morrisons was responsible for breaches of privacy, confidence and data protection laws, but Morrisons disagreed, saying it was not vicariously liable for the criminal misuse of data.
In December, the High Court found in favour of the employees and Morrisons took the case to the Court of Appeal.
On Monday, appeal court judges backed the lower court’s ruling, saying Morrisons was “vicariously liable for the torts committed by Mr Skelton against the claimants”.
Nick McAleenan, partner at JMW Solicitors, who represents the employees, said the judgement was a “wake-up call for business” and had provided “reassurance to the many millions of people in this country whose own data is held by their employer”.
He added that staff had been “obliged to hand over sensitive personal information and had every right to expect it to remain confidential”.
Morrisons said it would appeal to the Supreme Court, adding that it was not aware of anyone having suffered “direct financial loss” as a result of Skelton’s crimes.
A spokesman said: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.”
During the appeal court hearing, Anya Proops QC, for Morrisons, had told judges that, if the High Court decision was allowed to stand, the company would be exposed to “compensation claims on a potentially vast scale”.
She said Skelton had leaked the employees’ data “as an act of vengeance and specifically in order to damage Morrisons’ interests”.
Many commentators saw the judgement as tough, with Rohan Massey, European head of privacy and cybersecurity at Ropes & Gray saying he would be surprised if the Supreme Court did not hear Morrisons’ appeal.
He added: “The Court of Appeal’s suggestion that data controllers mitigate against the ‘potentially ruinous’ costs of data breach claims by taking out insurance may come as little comfort to businesses for whom the reputational costs and organisational disruption of such incidents can be just as costly.”
Nicola Cain, media and data enforcement and disputes partner at RPC, added: “Even if businesses have appropriate controls in place, there is very little further they can do to prevent a disgruntled employee from breaking the law and misusing personal data, meaning many businesses viewed the High Court’s ruling, which has now been affirmed by the Court of Appeal, as very harsh indeed.”