Supermarket chain Morrisons has today been held liable for the actions of a former member of staff who stole and leaked the data of thousands of employees online in 2014.
The affected employees brought a class action claim against Morrisons on the basis that they had been exposed to the risk of identity theft and potential financial loss. The employees contended that Morrisons was responsible for breaches of privacy, confidence and data protection law.
Mr Justice Longstaff ruled at a High Court hearing, sitting in Leeds, that Morrisons was vicariously liable for the data breach. Significantly, the ruling may pave the way for those affected by such data breaches to claim compensation for the “upset and distress” caused. Morrisons intend to appeal the decision.
This case highlights the importance of businesses engaging with data protection, both internally and externally, and reviewing existing policies and procedures ahead of the incoming General Data Protection Regulation (GDPR).
The risk of being sued by affected employees or customers for a data breach is in addition to the risk of being prosecuted by the Information Commissioner’s Office, with penalties under the GDPR of either up to €10m or 2% of turnover, or up to €20m or 4% of annual turnover.
The message to businesses, directors and owners is clear – the need to keep data protected is essential to the prosperity of the business.
For further information, or to arrange an in-house training session ahead of the GDPR changes in May 2018, please contact Ben Jackson, solicitor in our corporate and commercial team:
Call: 0191 232 8345