Supermarket chain Morrisons is in court this week faced with a lawsuit brought by thousands of current and former employees over a data breach which occurred in 2014.
The case, which is believed to be the first data breach class action in the UK, will be keenly watched by companies who worry it could open the floodgates to a new wave of court cases from workers and customers in the event of a data breach.
The personal details and payroll data of almost 100,000 employees were posted online after they were stolen by a fellow employee – an auditor at Morrisons’ Bradford head office. Andrew Skelton, who was found to have held a personal grudge against his employer, was sentenced to eight years in prison in 2015 after being found guilty of fraud and disclosing personal data of colleagues during his employment at Morrisons.
The employees party to the present lawsuit are seeking compensation for the distress and exposure they were subjected to when their personal details (including bank and salary details as well as addresses and National Insurance numbers) were posted online, after they had given them to Morrisons which had in turn failed to keep them secure.
There are not many precedents on data protection issues and whilst cases such as the TalkTalk data breach in 2015, which resulted in it being issued a £400,000 fine after customers’ personal data was leaked, have provided an indication as to the severity of punishments for breaches, many large businesses that handle personal data will be keeping an eye on the outcome of this case.
For further information or advice on database rights, data protection or how to ensure your organisation is compliant with the General Data Protection Regulation (GDPR) coming into force in May 2018, please get in touch.
Tidman Legal is a firm of intellectual property specialists based in Edinburgh.