A data breach at UK food manufacturer Greencore could end up proving costly for the company, with a group of current and former employees seeking legal advice on whether to sue the business if their personal information was compromised. Employee data breach claims are becoming increasingly common, adding an additional headache for businesses that can already face large fines if information is stolen.
In a letter to staff last month, Greencore admitted suffering a data breach in December, in which information including employee’s roles and salaries, bank account details and other personal information, was accessed by hackers. Further details of the incident, and the number of staff affected by the breach, are unknown, but the company employs more than 30,000 people across 35 sites throughout the UK and Ireland.
Data breach law firm Hayes Connor has taken up the case, and on Wednesday revealed it is working with up to 40 Greencore employees who suffered from the breach. Christine Sabino, a lawyer at Hayes Connor representing the potential claimants, said: “The information we have received is hugely concerning and further answers are clearly needed. This company employs thousands of people across a range of sites, but no real indication has been provided on how many have been affected.
“While we have heard first-hand from a number of people worried by these developments, there will likely be many more who are also concerned about what has happened,” she said.
Greencore said it “takes matters of data security extremely seriously”. A company statement added: “We’ve been working alongside a team of IT forensic experts who continue to investigate the incident,” adding that identity monitoring resources have been available to those affected.
Employee data breach claims are becoming more common
Individual and class action suits against companies by employees over data breaches are becoming increasingly common in the UK. Just this month, 106 members of staff at UK Mercedes dealership LSH Auto began legal proceedings after personal data was accessed.
“It happens more often than you’d think,” says Chris Hauk, consumer privacy champion at Pixel Privacy. “Employees can claim negligence, saying that the company did not take the necessary steps to protect their data from a data breach. They could also claim that the company is in breach of contract as it was obligated to protect the employee’s information.”
Such suits can be costly. The University of Pittsburgh Medical Centre suffered a breach in 2014, where 66,000 employees filed a class action lawsuit in an employer data breach claim. Their case was successful and the claimants received $2.65m in August of last year.
Mishandling of employee data can be particularly costly when it comes to regulatory action too, Toni Vitali, data security lawyer and partner at law firm Gateley Legal. "When [UK data watchdog] the Information Commissioner's Office (ICO) decides whether to bring a sanction or what level of fine to impose, it often takes into account what the bits of information are," he adds. "And the more information that's been disclosed, the higher the fine or the higher the sanction."
Fines can be up to £17.5m or 4% of a company's total annual worldwide turnover, whichever is higher, according to ICO guidelines.
What tech leaders can do to avoid employee data breach lawsuits
The information that companies hold about their employees is often highly sensitive, explains Vitali. "You might have gathered information about their religious beliefs or their ethnic background. You have information about their pay, their benefits, you are likely to be paying them regularly into a bank account each month."
"If you were to write down the list of information that you have about your employees, it's going to be five times, ten times as much information that you have about a customer," Vitali adds.
This makes employee data attractive to criminals. Jason Steer, global CISO at security firm Recorded Futures says "there are a wide range of threat actors who would love to get hold of this personal data and so will go to great lengths to obtain it."
Employers should be protecting employee data at all costs to avoid these sorts of issues. "A responsible employer should, at a very minimum, encrypt the data that it holds on behalf of its employees," explains Simon Milner, cyber insurance agent at Miller Insurance.