Supermarket chain Morrisons has lost a challenge to a High Court ruling that found it partly liable for a data breach leading to payroll data of around 10,000 staff being posted online.
Andrew Skelton, who was senior auditor at the organisation's Bradford headquarters, posted the workers' names, addresses, bank account details and salaries online in 2014, and was jailed for eight years for the offence in 2015.
Some 5,518 of the employees sought damages through the courts for the distress caused. In December 2017, the High Court ruled that Morrisons was vicariously liable for the criminal misuse of data.
The supermarket took the case to the Court of Appeal, but the judges backed the ruling of the lower court.
Nick McAleenan, partner at JMW Solicitors, which represents the employees, said: "These shop and factory workers have held one of the UK's biggest organisations to account and won, and convincingly so.
"This latest judgment provides reassurance to the many millions of people in this country whose own data is held by their employer."
Morrisons has stated that it will now take the case to the Supreme Court. A spokesman said: "Morrisons has not been blamed by the courts for the way it protected colleagues' data, but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.
"Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss."
The case is the first data class action in the UK.
The judgment stated that the solution to the potentially high costs incurred if claims such as this continue to arise was for employers to insure against not only data breaches caused by system failures or negligence, but also against losses caused by dishonest or malicious employees.
Lesley Holmes, data protection officer at MHR, said: “This case highlights the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused.
“The original decision looked at the relationship between the company and Andrew Skelton and traced a golden thread of accountability throughout the collection, use and disclosure of the data for both parties.”
However, Susan Hall, intellectual property layer at Clarke Willmott, stated: “This is a bewildering judgment. The first instance decision was in many respects shocking, with the judge himself acknowledging that Morrisons had done nothing wrong. The data was leaked by a disgruntled employee, who was subsequently jailed.
“The verdict in the High Court effectively achieved the former employee’s purpose of punishing Morrisons by making them liable for potentially millions of pounds in compensation, through no fault of their own. That it has been upheld by the Court of Appeal will have employers up and down the country panicking, as there is very little they can do to guard against a similar situation.”