Supermarket giant Morrisons should not be held liable for the criminal act of an employee with a "grudge" who leaked the payroll data of around 100,000 members of staff, the UK's highest court has heard.
The argument was presented to the Supreme Court on Wednesday during a bid by the company to overturn a ruling which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet.
Lord Pannick QC, representing Bradford-based Morrisons, told a panel of five justices, including the court's president, Lady Hale, that there was an "extraordinary background" to the case - the first data leak class action in the UK.
It involved the conduct of an employee, Andrew Skelton, who disclosed staff information on the internet and also sent it to newspapers "because of a grudge against Morrisons and in order to damage Morrisons".
The company has said it could not be held directly or vicariously liable for the criminal misuse of the data, and that any other conclusion would be grossly unjust.
But, in previous rulings, both the High Court and Court of Appeal have held that it is "vicariously liable" for Skelton's actions.
It has been argued on behalf of Morrisons that if those findings were allowed to stand, the company, although "entirely blameless", would be exposed to "compensation claims on a potentially vast scale".
The latest round of the litigation at the Supreme Court follows a blow for Morrisons at the Court of Appeal in October last year, when three leading judges upheld a 2017 High Court finding on the issue of liability.
'The North-South divide caused Brexit, now leaders must come to the North to win December's General Election'
GPS tracking apps, panic alarms, and a ban on after-dark canvassing - the safety precautions taken on Yorkshire's divided campaign trail
Legal action was launched after a security breach in 2014 when Skelton, a senior internal auditor at the retailer's Bradford headquarters, leaked the payroll data of around 100,000 employees.
Information included their names, addresses, bank account details and salaries.
Lawyers for more than 9,000 claimants have described the action as a "classic David and Goliath case".
They are seeking compensation for the upset and distress caused in a case with potential implications for every individual and business in the country.
In July 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years.
Lord Pannick told the justices at a hearing in London that Skelton remains in prison, with a release date in January.
He submitted that the lower courts made "errors of law" and reached the "wrong answer" on the question of liability.
Around 200 refugees could be settled in North Yorkshire under new Government scheme
Mixed reaction in church after 62-year-old Leeds vicar reveals tattoo
In written submissions, Jonathan Barnes, for the claimants, argues that the company's appeal should be dismissed as "Morrisons is vicariously liable to the claimants for the conduct of its employee Mr Skelton".
The Supreme Court is being asked to decide whether the Data Protection Act 1988 (DPA) excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence.
It is also being asked to rule on whether the Court of Appeal "erred in concluding that the disclosure of data" by its employee occurred in the course of his employment, for which the company should be held vicariously liable.