In 2014, an internal auditor at Morrisons, the fourth largest chain of supermarkets in the United Kingdom leaked the payroll data of nearly 100,000 employees. The internal auditor posted the information - including names, addresses, bank account details and salaries - online and and sent it to newspapers.
In an investigation the internal auditor was arrested and was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data and jailed for eight years in 2015.
Workers brought a claim against the company, the first data leak class action in the UK. Morrisons argued that it could not be held liable for the criminal misuse of its data. Morrisons further argued:-
they should not be held responsible
they worked to get the data taken down quickly, provide protection for the workers and reassure them that they would not be financially disadvantaged
The courts found that Morrisons are responsible for the actions of the former employee, even though this criminal actions were targeted at the company and their colleagues. Morrisons appealed but the Court of Appeal upheld the original decision against the supermarket, issued in December 2017.
Morrisons said it would now appeal to the Supreme Court.
If that appeal fails, those affected will be able to claim compensation for "upset and distress".
This judgement at the Court of Appeal provides reassurance to the many millions of people in the world whose own data is held by their employer.