Morrisons has been found liable for the actions of a former member of its staff who stole the data of thousands of employees and posted it online.
Workers brought a claim against the company after employee Andrew Skelton stole the data, including salary and bank details, of nearly 100,000 staff.
The High Court ruling now allows those affected to claim compensation for the “upset and distress” caused.
The case is the first data leak class action in the UK.
It follows a security breach in 2014 when Skelton, then a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of employees.
He posted the information, including names, addresses, bank account details and salaries, online and sent it to newspapers.
Skelton’s motive appeared to have been a grudge over an incident when he was accused of dealing so-called legal highs at work.
He was jailed for eight years in 2015 after being found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data.
Lawyers said the data theft meant a group of 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.
At the High Court hearing sitting in Leeds, the judge, Mr Justice Langstaff, ruled that Morrisons was vicariously liable, adding that primary liability had not been established.
Following the ruling, Nick McAleenan of JMW Solicitors, acting for the claimants, said: “The High Court has ruled that Morrisons was legally responsible for the data leak.
“We welcome the judgment and believe that it is a landmark decision, being the first data leak class action in the UK.”
Morrisons has been granted leave to appeal against the decision.
Go to source.