Companies Are keeping a Close Eye on Morrisons Data leak Case

Thousands of Morrisons workers are seeking compensation for a data leak that occurred when a former senior internal auditor at the supermarket’s head office in Yorkshire shared the payroll information of nearly 100,000 employees online.

Andrew Skelton received an eight-year prison sentence in 2015 for fraud. He shared employee details online in retaliation for being disciplined by Morrisons after he was found using eBay to sell ‘legal highs’ during working hours.

Employees’ addresses, bank and salary details, and National Insurance numbers were all posted online. The workers argue that they were left vulnerable to the risk of identity theft and potential financial loss after the company failed to prevent the leak. They argue that Morrisons should be held legally accountable for breaches of confidence, data protection and privacy laws.

The case is thought to be the first data leak class action in the UK, and is likely to be followed closely by many other employers who fear that it may lead to similar claims from workers and customers in the event of a company data breach.

If the court case finds Morrisons legally responsible for the data leak, then a second court case will take place to determine the level of compensation to be given to victims.

Supermarket denies any legal liability

Morrisons has denied all legal liability in response to the claims made by its employees. The company said it took down the information once it was alerted to its presence online, and also says it offered compensation and identity theft protection to any employees who had found themselves the victim of fraud because of the leak. In addition, Morrisons has reportedly spent over £2m trying to address the issues that have arisen in response to the case.

Growing number of data leaks at companies

The Morrisons case comes at a time of growing concern in the wake of data leaks that have hit prominent businesses. In August 2017, TalkTalk was fined £100,000 by the Information Commissioner’s Office for failing to prevent the sharing of details of 21,000 of its customers.

In October 2015, TalkTalk was also fined £400,000 after a cyber-attack shared the personal data of over 156,959 customers, including customers’ personal bank details.

The information commissioner, Elizabeth Denham, argued that TalkTalk had “failed to look after its customers’ data and risked it falling into the hands of scammers and fraudsters” as a result of its most recent data breach.

She said:

“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse. TalkTalk should have known better and they should have put their customers first.”

There have been similar data breaches at large companies, including Yahoo and Tesco Bank, this year.

Companies face growing pressure to protect the data entrusted to them

In response to the increase in data protection breaches and other cyber-crimes, the Government introduced the Data Protection Bill to the House of Lords in September 2017.

The bill provides an updated approach to data protection laws, which will contain more forceful requirements for tackling data breaches. The bill will also include the EU’s new General Data Protection Regulation (GDPR) that will see that companies are fined 4% of their global annual turnover if found responsible for data breaches.

The GDPR, which has been described as the biggest ever overhaul of data legislation and which the UK government will implement despite Brexit, comes into force on May 25^th 2018. The Information Commissioner’s Office (ICO) is publishing practical guidance to support organisations to prepare for the change.

Contact IBB’s employment lawyers for expert advice on policies, employee dispute resolution, Tupe and more

Our Employment team provides advice on the employment aspects of all major business decisions. For advice, contact a member of the team, call us on 03456 381381 or email enquiries@ibblaw.co.uk.