THOUSANDS of Morrisons staff should be compensated for the “upset and distress” caused by their personal details being posted on the internet, the High Court has heard.
Lawyers say the case – the first data leak class action in the UK – has potential implications for every individual and business in the country.
The case follows a security breach in 2014 when Andrew Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of nearly 100,000 employees – including their names, addresses, bank account details and salaries – putting it online and sending it to newspapers
In July 2015 Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data and jailed for eight years.
The trial heard that his motive appeared to have been a grudge over a previous incident in which he was accused of dealing in legal highs at work.
Yesterday, Jonathan Barnes, counsel for 5,518 former and current Morrisons employees, told Mr Justice Langstaff in London that the company had already been awarded £170,000 compensation against Skelton. He added that the trial judge said that Skelton wanted to do Morrisons “some real damage”.
“The judge was sure that the employees were victims too, and it is those victims who have received no compensation for their distress or loss of control of the situation,” Mr Barnes said.
He said that it was a “simple complaint” by the employees who were required to provide the information when they joined Morrisons.
“We say that, having entrusted the information to Morrisons, we should now be compensated for the upset and distress caused by what we say was a failure to keep safe that information.”
The employees claim the leak exposed them to the risk of identity theft and potential financial loss and that Morrisons, which denies liability, is responsible for breaches of privacy, confidence and data protection laws.
The trial, which is concerned only with liability, is due to last two weeks.
Anya Proops QC, for Morrisons, said Skelton’s actions had already caused serious damage to the firm, not least because it incurred more than £2 million in costs in responding to the misuse.
She said that while 5,518 claimants had joined the litigation, if they succeeded, that would open the door to claims from the other 94,480 individuals affected.
She said it was clear that the company could not be held directly or vicariously liable for Skelton’s criminal misuse of the data.
“Any other conclusion not only offends against basic legal principles but would also be grossly unjust and indeed perverse in all the circumstances,” Ms Proops told the court.
She added that the claimants had failed to establish that Morrisons fell short when it came to the issue of data security, and Skelton’s criminal disclosures could not be said to have been effected in the “course of his employment”, so there could be no vicarious liability.
Ms Proops said the novel issue of the extent to which a data controller/employer could be held liable under civil law in connection with the unauthorised, criminal misuse of third party data by an employee was of “huge importance” for all those who process personal data as a “data controller”.
The case continues.