CIPD: Employees claim retailer ‘ultimately responsible’ for breaches of privacy. Supermarket chain Morrisons is being sued by 2,000 (and potentially more), of its own staff following the arrest and conviction in July of former disgruntled employee, Andrew Skelton, who leaked swathes of his colleagues bank, salary and national insurance details.
The ‘group litigation order’ is being handled by JMW solicitors, who were given an extra four-months by the High Court yesterday, to allow other employees to come forward and join the claim.
Skelton, formerly an internal auditor at Morrisons’ Bradford head quarters, uploaded details of 99,998 staff to file sharing websites in 2013 and is now serving an eight-year jail sentence for his actions.
He committed the act in revenge for being found out for using the company post room to send personal ebay packages. But according to JMW’s lawyers, the supermarket are also culpable as they could have done more to protect staff data.
“My clients’ position is that Morrisons failed to prevent a data leak which exposed tens of thousands of its employees to the very real risk of identity theft and potential loss,” said Nick McAleenan, JMW’s data privacy lawyer representing the staff.
The action is believed to be Britain’s first ever group claim relating to a breach of data, with staff alleging it is Morrisons that is ultimately responsible for breaches of privacy, confidence and data protection law.
McAleenan claims the case has “important implications for every employee and every employer”, in the country. He said: “Whenever employers are given personal details of their staff, they have a duty to look after them. This is especially important given most companies now gather and manage such material digitally, meaning it can be accessed and distributed relatively easily if the information is not protected.”
At the High Court hearing lawyers claimed staff faced “the very real risk of identity theft and potential loss”. They also claim staff are now worried about how the leaks might affect their credit ratings.
A spokesman for Morrisons said: “We are contesting this case. We are not accepting liability for the actions of a rogue individual. We can confirm that we are not aware that anybody suffered any financial loss from this breach.”
But in spite of Morrisons stance that it should not be held responsible, it has been suggested the case could still cost the employer £2 million to resolve. Yesterday investors reacted badly to the news, and its share price dropped by more than 1.5 per cent.
The case has put more pressure on the struggling grocery retailer, which saw year-on-year sales fall by 1.4 per cent in September.