Supermarket operator Morrisons could be liable to compensate thousands of employees whose personal data were made public by the criminal acts of another employee.
Three judges at the Court of Appeal in London upheld a ruling by the High Court that the company was vicariously liable, despite its argument that that it would be grossly unjust to impose such liability.
A class action was brought by more than 5,500 employees after a security breach in 2014 when Andrew Skelton, a senior internal auditor at Morrisons' Bradford headquarters, leaked the payroll data of about 100,000 employees, including their names, addresses, bank account details and salaries. He was subsequently jailed for eight years on charges of fraud and data misuse.
The claimants say this exposed them to the risk of identity theft and potential financial loss, and that Morrisons was responsible for breaches of privacy, confidence and data protection.
The company told the court that it faced claims on "a potentially vast scale" if the ruling was allowed to stand, though it was "entirely blameless".
However Sir Terence Etherton, Master of the Rolls, Lord Justice Bean and Lord Justice Flaux upheld the vicariously liability ruling, in what is the first data leak class action in the UK.
Nick McAleenan, partner at JMW Solicitors who represents the claimants, commented that the claimants "were obliged to hand over sensitive personal information and had every right to expect it to remain confidential, but a copy was made and it was uploaded to the internet and they were put at risk of fraud, identity theft and a host of other problems. Unsurprisingly, this caused a huge amount of worry, stress and inconvenience".
He added: "The judgment is a wake-up call for business. People care about what happens to their personal information."