Morrisons case increases liability for employers

Supermarket Morrisons lost its appeal following a breach at the company which resulted in thousands of its employees’ details being posted online. The case is the first data leak group action in the UK.

For employers, this could lead to significant increases in liability when it comes to data breach cases.

What happened in this case?

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. In this case, the employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.

Despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was primarily liable for its own acts and omissions (such as not ensuring the proper security measures to protect the data).

Crucially, the judge also ruled that Morrisons was “vicariously liable” for Skelton’s actions. In a workplace context, an employer can be vicarious liability for the actions of its employees, as long as it can be shown that they took place in the course of their employment.

The decision to hold Morrisons vicariously liable is important as it gives victims more opportunities to seek compensation following a data breach (companies are more likely to be insured against such liability than employees).

But the decision had even wider reaching implications. Until this case, a person who suffered damage might have had their compensation increased to take into account any associated distress, but in most cases payment would not have been awarded for suffering alone. However, the ruling paved the way for those affected by data breaches to claim damages for distress, even if they have not experienced any financial loss. And that could be huge.

Morrisons went on to challenge the decision, but in October 2018, the Court of Appeal upheld the original ruling against the supermarket with three judges saying they agreed with the High Court’s earlier decision.

Where next?

Over the last 18 months, we have seen numerous examples of significant personal data loss. Many of these violations have been able to occur due to weaknesses contained in companies’ IT software.

As the trend towards a cashless society accelerates, this trend will continue as retailers and other businesses seek quicker and slicker interfaces with their consumers. Both at the point of sale and throughout their customer journey.

In the case of Morrisons, significant steps were taken to protect data, but those steps failed. In this instance, the data was lost at the hands of the employee turned hacker. However, data is also at threat simply due to careless employees going about their day-to-day business.

The latest ruling is the tip of a very large iceberg. Mass data breach actions are also being made against Ticketmaster and British Airways among others. Such actions, when properly prepared and investigated, will have significant financial consequences in terms of damages and costs.

Data breaches on a large scale are a real and pressing threat. In response, the clear and overwhelming view of the Court of Appeal is that such events must be foreseen by companies, and insured against.

The reaction of the insurers to such events, their provision of cyber cover and premium costs is now under the spotlight. Indeed, we predict a situation where the volume of exclusions to policies will increase.

Companies must now protect themselves better from data loss. But they also need to be extremely vigilant as to the activities and errors of their employees to be afforded the cover they pay for, or think they pay for.

Morrisons has now said that it will take its fight to the Supreme Court. But if the decision is upheld, the case will have widespread repercussions for employers. Not least because the interpretation of vicarious liability could leave them open to an unprecedented level of legal action.  How businesses mitigate against this increased risk profile remains to be seen.

At Hayes Connor Law, we help to keep your compliant with robust policies and procedures.

For bespoke advice that is cost-effective, confidential, and appropriate to your business, contact us today.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.