Staff win landmark case over Morrisons data leak
Written by staff reporter
Supermarket chain Morrisons has been found liable for a data leak involving financial and personal data of almost 100,000 members of staff following a trial in the High Court.
Information including salaries, national insurance numbers, dates of birth and bank account numbers were among the details leaked by a former disgruntled employee – Andrew Skelton – in 2014. Skelton, who worked at the company’s headquarters in Bradford, West Yorkshire, was jailed in 2015 for his crime.
In what is the UK’s first data protection class action, over 5,500 current and former employees sued Morrisons over the breach and although the judge found that the company had provided “adequate and appropriate” controls and was unaware that Skelton posed a threat, Justice Langstaff said that secondary or vicarious liability for the actions of one of its employees had been established.
The ruling potentially paves the way for future claims and significantly increases the risk of liability and business exposure to the malicious actions of current or former employees.
Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who represented the claimants in the case said: “Every day, we entrust information about ourselves to businesses and organisations. We expect them to take responsibility when our information is not kept safe and secure.
“In the Morrisons case, almost 100,000 bank account details, national insurance numbers and other data was entrusted to a fellow employee to look after. Instead, however, he uploaded the information to the internet. This private information belonged to my clients. They are Morrisons’ checkout staff, shelf stackers, factory workers – ordinary people doing their jobs. The consequences of this data leak were serious. It created significant worry, stress and inconvenience.”
Morrisons was granted leave to appeal the vicarious liability ruling and says it plans to do so as it does not believe it should be held responsible given the procedures it had in place and its prompt action to remove the leaked data following the breach.