Over 5,500 employees of supermarket giant Morrisons could all claim compensation after they had their personal data published online.
A former employee of the supermarket chain posted details of staff addresses and bank account details in 2014. He was jailed for 8 years for this and, for the first time, the employer is now being held liable for the incident.
This could have implications for any business or organisation that holds sensitive data on their employees. If there is a sensitive data breach the company could be held legally responsible. This is the first data leak class action of its kind.
It all started in 2014, when a senior auditor, Andrew Skelton, leaked the payroll details of around 100,000 employees. He posted workers’ names, addresses, bank acocount details and salaries online and sent them to newspapers. He was jailed in 2015 for eight years.
Around 5,500 of those employees bought a class action against Morrisons seeking compensation. They claim that Morrisons was laible for the release of the information, because, despite Andrew Skelton’s crime, he was acting in the course of his employment.
Morrisons denied responsibility for this, claiming they could not of predicted the event and stopped the actions of a rouge employee, plus no one suffered direct financial loss as a result. However, the court disagreed with Morrisons and said: “Morisons was vicariously liable for the torts committed by Mr Skelton against the claimants”. This is the second court ruling in favour of the employees. Despite this, Morrisons have vowed to appeal the decision to the Supreme Court.
A Spokesperson for Morrisons said: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues. Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.”
This could cost Morrisons potentially millions of pounds. The claim was bought by the 5,500 or so employees, but there were another 95,000 employees who also had their data stolen and who could also join in the claim for compensation.
According to a government report, nearly half the businesses in the UK have fallen victim to cyberattacks or security breaches in the last year, costing them each thousands of pounds. The most common breaches or attacks involved fraudulent emails, attempts by scammers to impersonate the organisation online and viruses and malware. Files were temporarily or permanently lost, software or systems corrupted, firms and charities had websites slowed or taken down and money, assets and intellectual property were stolen.
The findings follow a warning from intelligence officials that organisations holding vast quantities of personal data and payment information are at a greater risk of online attacks. Organisations need to make sure there systems are updated and have the approprite systems inplace to protect against online crime. The government has also said it is investing over £1 Billion to protect the country from cyber attacks.
