Morrisons data breach

22 December 2017

Ahead of the implementation of the General Data Protection Regulation (GDPR) in May 2018, a recent class action ruling in the UK points to increasing costs for data breaches.

In November the High Court ruled that UK retailer Morrisons was liable for a security breach in 2014, in which the company’s former internal auditor deliberately leaked payroll data. The person responsible was jailed for eight years in 2015 for fraud, but a group of over 5,500 employees represented by JMW Solicitors subsequently sued the company. Morrisons, which has reportedly spent GBP 2 million defending the case, says that it now intends to appeal the decision.

LANDMARK CASE

The ruling is seen as significant, with potentially wide ranging implications for data controllers and insurers.

First, the ruling confirms that UK companies can be held vicariously liable for the acts committed by their employees in data breach cases. While the High Court found that Morrisons was not at fault in the way it protected the staff data, it did rule that the firm was responsible for the actions of its employee.

The decision shows that an employee with access to personal data can cause significant harm, liability and exposure to a company. Effectively, even though Morrisons had adequate controls in place to protect personal data, it may end up paying a large compensation bill.

NON-FINANCIAL LOSS

Perhaps more significantly, the High Court ruling builds on previous cases in which courts have allowed compensation claims for emotional distress in data breach cases. This is in stark contrast to the US where courts typically award compensation for financial losses directly attributable to a data breach.

In the 2015 case of Vidal-Hall v Google the Court of Appeal allowed three claimants to pursue Google for compensation for distress caused by breaches under the Data Protection Act. This was followed in 2017, when the judge in TLT v The Home Office awarded compensation for distress to a group of asylum seekers after their personal details were leaked by the Home Office. The claimants were awarded between GBP 2,500 and GBP 12,500 compensation each.

CLASS ACTIONS

The Morrisons case is also notable as the UK’s first successful class action for a data breach.

Class actions are particularly well-suited to data breaches, where a large number of potential claimants suffer a loss from the same event, at the same time. The success of the group action against Morrisons could encourage other similar claims.

Coincidently, consumer group Which recently called for changes to the Data Protection Bill to make it easier for consumers to access compensation for data breaches. A survey carried out by Which found that three quarters of consumers would welcome an independent body helping to get redress on a collective basis.

INCREASING EXPOSURE

Going forward, the combination of class actions, compensation for distress, and the GDPR could become a powerful driver for increased data breach costs.

According to law firm DAC Beachcroft, compensation awards for privacy and security breaches are increasing. It believes that people will eventually seek compensation following a data breach in much the same way as they do now for a slip or a trip.

GDPR will give data owners greater rights from May 2018 and will make it easier for them to seek legal redress. In addition to enhanced rights, the GDPR also contains a relatively broad definition of damages that includes non-financial damages.

INSURANCE

Cyber insurance typically covers non-financial damages like emotional distress resulting from a data breach, although policies do exclude physical damage. However, policies will limit indemnity, and with some breaches affecting millions of data owners, companies will need to assess their limits accordingly.

On the issue of vicarious liability, cyber cover will also pay claims arising from the acts of employees – both malicious and accidental – although fraudulent or criminal activities of a company’s senior executives would be excluded.

Download Cyber Decoder 

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com