Thousands of Morrisons staff should be compensated for the “upset and distress” caused by their personal details being posted on the internet, the High Court has heard.
The case which opened in London, Monday – the first data leak class action in the UK – follows a security breach in 2014 when Andrew Skelton, a senior internal auditor at the firm’s Bradford HQ, leaked the payroll data of nearly 100,000 employees – including their names, addresses, phone numbers, bank account details and salaries – putting it online and sending it to newspapers.
In July, 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data and jailed for eight years.
The case has been brought by 5,518 current and former employees of Morrisons, who allege that the firm which denies liability, failed to prevent the leak and exposed them to the risk of identity theft and potential financial loss.
If the claimants are successful, a second trial will go ahead to determine the level of compensation for victims.
Jonathan Barnes, counsel for the employees, told Mr Justice Langstaff that the company had already been awarded £170,000 compensation against Skelton and that the trial judge said that Skelton wanted to do Morrisons “some real damage.”
He added: “The judge was sure that the employees were victims too, and it is those victims who have received no compensation for their distress or loss of control of the situation.”
He said it was a “simple complaint” by the employees who were required to provide the information when they joined Morrisons.
“We say that, having entrusted the information to Morrisons, we should now be compensated for the upset and distress caused by what we say was a failure to keep safe that information.”
Anya Proops QC, for Morrisons, said Skelton’s actions had already caused serious damage to the firm, not least because it incurred more than £2m in costs in responding to the misuse. She said that if the 5,518 claimants succeeded, it would open the door to claims from the other 94,480 individuals affected.
She said it was clear that the company could not be held directly or vicariously liable for Skelton’s criminal misuse of the data, adding: “Any other conclusion not only offends against basic legal principles but would also be grossly unjust and indeed perverse in all the circumstances.”
She said the claimants had failed to establish that Morrisons fell short when it came to the issue of data security, and Skelton’s criminal disclosures could not be said to have been effected in the “course of his employment.”
The trial, which is concerned only with liability, is due to last two weeks.