Home / News & Resources / News & Updates / The Morrisons data breach. Why is it so important?

The Morrisons data breach. Why is it so important?

  • Posted on

The Morrisons data breach. Why is it so important?

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. The judgment, which has huge implications, has received a lot of press attention. But why is it so important? And what can you do if you are the victim of a data breach?

What happened?

In 2014, Andrew Skelton, a disgruntled employee at Morrisons, published the payroll data of almost 100,000 Morrisons staff online. As well as salaries, the data included bank account details, national insurance numbers and dates of birth. He also sent the details to various newspapers, but they did not publish the data and Morrisons was informed of the breach.

Morrisons took immediate action to remove the data and alert the police, so it was only available online for less than 24 hours. Nevertheless, Mr Skelton was sentenced to eight years in prison for the criminal act. But Mr Skelton wasn't the only one to face the consequences of his actions. In 2015 - in the first group litigation of its kind in the UK - 5,518 people brought a claim against Morrisons under the Data Protection Act 1988, for misuse of private information and breach of confidence.

What is a group action claim?

With a group action claim, you and the other Claimants collectively bring your cases to court against a Defendant. Where circumstances are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim.

However, just because a case is part of a group action, this doesn't mean that everyone will get the same amount of compensation if successful. All claims within a group action are still settled based on their merits, and you will receive what you are owed.

What was the outcome?

In December 2017, despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was primarily liable for its own acts and omissions (such as not ensuring the proper security measures to protect the data). The judge also ruled that Morrisons was "vicariously liable" for Skelton's actions. In a workplace context, an employer can be vicarious liability for the actions of its employees, as long as it can be shown that they took place in the course of their employment.

Why is the case so important?

While this case is the first of its kind in the UK, it's not expected to be the last; especially with the GDPR due to come into effect later this year. Further extending data protection rights, companies must do more to protect the information they hold.

The decision to hold Morrisons vicariously liable is also important, as it gives victims more opportunities to seek compensation (companies are more likely to be insured against such liability than employees). However, the Court has granted Morrisons permission to appeal the vicarious liability decision, which is good news for the business as the current decision might make the business an accessory in Mr Skelton's criminal activity.

The decision has even wider reaching implications. Until now, a person who suffered damage might have had their compensation increased to take into account any associated distress, but in most cases payment would not have been awarded for suffering alone. However, this case has paved the way for those affected by data breaches to claim damages for distress, even if they have not suffered any financial loss. And that could be huge.

What can you do if you think your data has been breached?

If you think you are a victim of a data breach, contact Hayes Connor Solicitors ASAP. We'll advise you on whether you have a valid claim, answer any questions you might have and go through your options with you.

We can contact the organisation in question, and use any information provided by the Information Commissioners Office (ICO), to check if you have had your data breached (if the company has not admitted as much already). Once we have established that your data has been breached - and the extent of this failing - we'll start the claims procedure on your behalf; often on a no win-no fee basis. Where multiple people have been affected by a violation, we also make group action claims.

We understand that making a compensation claim can be stressful; especially where your sensitive information has already been breached, so, our process is fully compliant with ICO guidance, and we never put your details at risk. We also remove the jargon from the process and make sure you always know what's happening with your case.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it's essential to act now.