Morrisons case increases liability for employers

Supermarket Morrisons lost its appeal following a breach at the company which resulted in thousands of its employees’ details being posted online. The case is the first data leak group action in the UK.

For employers, this could lead to significant increases in liability when it comes to data breach cases.

What happened in this case?

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. In this case, the employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.

Despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was primarily liable for its own acts and omissions (such as not ensuring the proper security measures to protect the data).

Crucially, the judge also ruled that Morrisons was “vicariously liable” for Skelton’s actions. In a workplace context, an employer can be vicarious liability for the actions of its employees, as long as it can be shown that they took place in the course of their employment.

The decision to hold Morrisons vicariously liable is important as it gives victims more opportunities to seek compensation following a data breach (companies are more likely to be insured against such liability than employees).

But the decision had even wider reaching implications. Until this case, a person who suffered damage might have had their compensation increased to take into account any associated distress, but in most cases payment would not have been awarded for suffering alone. However, the ruling paved the way for those affected by data breaches to claim damages for distress, even if they have not experienced any financial loss. And that could be huge.

Morrisons went on to challenge the decision, but in October 2018, the Court of Appeal upheld the original ruling against the supermarket with three judges saying they agreed with the High Court’s earlier decision.

Where next?

Over the last 18 months, we have seen numerous examples of significant personal data loss. Many of these violations have been able to occur due to weaknesses contained in companies’ IT software.

As the trend towards a cashless society accelerates, this trend will continue as retailers and other businesses seek quicker and slicker interfaces with their consumers. Both at the point of sale and throughout their customer journey.

In the case of Morrisons, significant steps were taken to protect data, but those steps failed. In this instance, the data was lost at the hands of the employee turned hacker. However, data is also at threat simply due to careless employees going about their day-to-day business.

The latest ruling is the tip of a very large iceberg. Mass data breach actions are also being made against Ticketmaster and British Airways among others. Such actions, when properly prepared and investigated, will have significant financial consequences in terms of damages and costs.

Data breaches on a large scale are a real and pressing threat. In response, the clear and overwhelming view of the Court of Appeal is that such events must be foreseen by companies, and insured against.

The reaction of the insurers to such events, their provision of cyber cover and premium costs is now under the spotlight. Indeed, we predict a situation where the volume of exclusions to policies will increase.

Companies must now protect themselves better from data loss. But they also need to be extremely vigilant as to the activities and errors of their employees to be afforded the cover they pay for, or think they pay for.

Morrisons has now said that it will take its fight to the Supreme Court. But if the decision is upheld, the case will have widespread repercussions for employers. Not least because the interpretation of vicarious liability could leave them open to an unprecedented level of legal action.  How businesses mitigate against this increased risk profile remains to be seen.

At Hayes Connor Law, we help to keep your compliant with robust policies and procedures.

For bespoke advice that is cost-effective, confidential, and appropriate to your business, contact us today.

Are data breaches going to lead to a litigation bonanza?

Earlier this month, it was reported that a seminar in Dublin discussed how data breaches are set to become the ‘personal injury claim of the future’[1]. And that, with the introduction of the GDPR and the Data Protection Act 2018, this new legislation “creates the potential for a major expansion of liability claims to both controllers and processors of data”.

And the truth is, with the ability to claim for ‘injury to feelings’ as well as compensation for financial damages, organisations should be worried.

Of course, when you’re running a business, the last thing you want to think about is the possibility of things going wrong. But our online world has led to many different types of cyber offences, from data breaches to computer fraud, identity theft, defamation, hacking, phishing scams, and more. And with these types of crimes on the rise, simply sticking our heads in the sand is a terrible idea. In fact, with the possibility of massive fines for non-compliance (up to €20 million or 4% annual global turnover), failure to do so could be catastrophic. And that’s before you add on the cost of litigation.

Businesses simply must look at options to mitigate risk and any resulting compensation claims.

How real is the risk?

Earlier this year, the head of the UK’s National Cyber Security Centre (NCSC) warned that a major cyber-attack on the UK is a matter of “when, not if”. And, as well as the probability of overwhelming disruption to Britain’s critical infrastructure, small to medium businesses can’t risk thinking that the threat doesn’t apply to them.

In fact, the NCSC has also warned that such businesses are woefully unprotected, and has urged business leaders to check their readiness for cyber attacks. Not least because, according to the NCSC:

“Small and medium businesses make up 99.9% of all businesses in the UK, and employ 16.1 million people, or 60% of the country’s private employment. However, almost half (43%) of British SMEs admit to having no business continuity, disaster recovery or crisis management plans in place, despite almost the same number of UK businesses (46%) suffering at least one cyber security breach or attack.”

Protecting yourself from cyber litigation doesn’t have to be difficult

Cyber security can feel daunting for SMEs, but there are some quick and affordable steps you can take to protect your business from most online attacks and the resulting litigation.

The NSCS’s Cyber Security: Small Business Guide is a good place to start.

Businesses, in-house legal teams and other organisations should also consider expert legal advice to help meet their data protection obligations. This includes things like:

  • Creating and/or reviewing your data protection policies to ensure compliance with the latest regulations and industry guidance
  • Protecting, licensing and enforcing your Intellectual Property rights (both in the UK and Internationally)
  • Seeking legal advice on patents, licensing and trademarks
  • Drafting robust confidentiality agreements
  • Developing GDPR-friendly policies and templates such as Terms & Conditions and Privacy Notices
  • Establishing compliant processes for responding to data breaches made against your business
  • Creating compliant procedures for responding to subject access requests
  • Ensuring expert legal advice on data sharing and security
  • Seeking advice on freedom of information requests
  • Establishing a lawful basis for data processing ( and ensuring you have robust documentation in place)
  • Ensuring your employment contracts and policies are compliant with the latest data protection regulations and industry guidance.

In addition to keeping your compliant with robust policies and procedures, the right preparation won’t just reduce the likelihood of data breaches occurring; it will also limit the fallout should the worst happen. Because, when it comes to defending yourself against a claim, you need to show that you did everything in your power to keep the data you hold safe.

In business, it pays to think the unthinkable. For bespoke advice that is cost-effective, confidential, and appropriate to your business, contact us today.


What to do if your business data has been breached

Could you be entitled to business data loss compensation?

Your company’s confidential data is one of its most valuable assets. Customer information databases, IP, trademarks etc. all help to give a competitive edge and can be the difference between success and failure.

The good news, is that data protection does not just apply to individuals and consumers. Businesses have rights too, and as such, where a mistake or other breach has occurred, companies can make a business data breach claim for compensation.

How to protect your business data

Businesses can protect themselves and their assets in a number of different ways. With prevention always better than cure. So, if you are entrusting your valuable data to a third-party, it always pays to make sure that they have adequate processes in place. At the very least this should include:

  • Secure firewalls
  • Anti-virus and anti-malware software
  • Regular and robust backup processes
  • A process for updating operating systems on a regular basis
  • Processes that prevent staff members from sharing passwords
  • Reliable encryption
  • Processes to remove outdated info
  • Processes to identify and record what personal data is held and stored by the business
  • Compliance with the Information Commissioner’s Office (ICO).

Of course, your own business should also adopt best practices when it comes to the above.

What to do if a trusted partner causes a data breach

What happens if a bank, financial institution or a trusted professional adviser of the business loses confidential data such as bank statements or financial material relating to the business?

Just like an individual, your business can pursue a claim for damages against the party who has either deliberately or negligently breached your confidential data.

Due to the consequences of losing such information, the level of damages that may be awarded is likely to be substantial. Not just for the breach itself, but also to include the consequential damages and losses suffered by the business as a result.

How to protect your data against rogue employees

“87% of employees take sensitive data with them when they leave a company, whether voluntarily or involuntarily.”

As well as protecting your business against external threats, you should also do everything you can to protect yourself from internal ones. This includes:

  • Making sure you have robust security systems in place to prevent data theft
  • Establishing monitoring processes to detect a data theft
  • Ensuring restrictive covenants are written into staff contracts. These prevent staff from sharing sensitive information once they have left your employ
  • Ensuring adequate policies are in place to deal with issues such as social media use
  • Ensuring these policies are communicated to employees.

However, stealing personal information is a crime, so if a disgruntled or former employee steals and then sells or misuses sensitive commercial information to obtain a financial benefit for themselves, or to provide a commercial advantage to a competitor, you can refer the matter to the police. You also have the right to criminally prosecute the individual in question.

In addition, where a theft has occurred you have the power to obtain injunctions to prevent the material being used or disclosed in the first instance, and thereafter you can apply to seize and obtain any financial benefits or rewards the employee or the competitor has achieved with the use of the information that was stolen.

Helping you to achieve the maximum amount of compensation, in the minimum amount of time, if your business has suffered a data breach due to the negligence or illegality of others, contact Hayes Connor Law.