Posts

data breach appeal
, ,

Morrisons loses data breach appeal

Supermarket Morrisons has lost its appeal following a breach at the company which resulted in thousands of its employees’ details being posted online. The case is the first data leak group action in the UK.

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. However, Morrisons went on to challenge this decision.

The employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.

The Court of Appeal upheld the original decision against the supermarket with three judges saying they agreed with the High Court’s earlier decision.

 

Where Next

Over the last 18 months, we have seen numerous examples of significant personal data loss. Many of these violations have been able to occur due to weaknesses contained in companies’ IT software.

As the trend towards a cashless society accelerates, this will only continue as retailers and other businesses seek quicker and slicker interfaces with their consumers. Both at the point of sale and throughout their customer journey.

In the case of Morrisons, significant steps were taken to protect data, but those steps failed. In this instance, the data was lost at the hands of an employee turned hacker. However, data is also at threat simply due to careless employees going about their day-to-day business.

The latest ruling is the tip of a very large iceberg. Mass data breach actions are also being made against Ticketmaster and British Airways among others. Such actions, when properly prepared and investigated, will have significant financial consequences in terms of damages and costs.

Data breaches on a large scale are a real and pressing threat. In response, the clear and overwhelming view of the Court of Appeal is that such events must be foreseen by companies, and insured against.

The reaction of the insurers to such events, their provision of cyber cover and premium costs is now under the spotlight. Indeed, we predict a situation where the volume of exclusions to policies will increase.

Companies must now protect themselves better from data loss. But they also need to be extremely vigilant as to the activities and errors of their employees to be afforded the cover they pay for, or think they pay for.

 

If you have been affected by this or any other data breach then you can get in touch with our experts today

data breach solicitors
,

Morrisons loses data breach challenge

Supermarket Morrisons has lost its appeal following a breach at the company which resulted in thousands of its employees’ details being posted online. The case is the first data leak group action in the UK.

 

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. However, Morrisons went on to challenge this decision.

The employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.

Today, the Court of Appeal upheld the original decision against the supermarket with three judges saying they agreed with the High Court’s earlier decision.

Why is this case so important?

In 2015 – in the first group litigation of its kind in the UK – over 5,000 people brought a claim against Morrisons under the Data Protection Act 1988, for misuse of private information and breach of confidence.

In December 2017, despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was liable for its omissions such as not ensuring the proper security measures to protect the data.

The judge in the original case also ruled that Morrisons was “vicariously liable” for the employee’s actions. In a workplace context, an employer can be vicarious liability for the actions of its employees, as long as it can be shown that they took place in the course of their employment.

The decision to hold Morrisons vicariously liable is important, as it gives victims more opportunities to seek compensation (companies are more likely to be insured against such liability than employees).

The case also paved the way for those affected by data breaches to claim damages for distress, even if they have not suffered any financial loss.

 

Morrisons has now said that it will now appeal to the Supreme Court. If that appeal fails, those affected will be able to claim compensation for “upset and distress”.

The latest decision is good news for people who want to hold businesses to account for a failure to protect personal and sensitive data.

The judgement has been referred to as a “wake-up call for businesses” and Morrisons could now face a hefty compensation bill.

 

equifax data hack
,

What is a group action claim?

In 2015 – in the first group litigation of its kind in the UK – 5,518 people brought a claim against Morrisons under the Data Protection Act 1988, for misuse of private information and breach of confidence. But what is a group action claim and can you join one?

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also sometimes called class actions, collective redress actions, or multi-party actions. With a group action, this group of people (the Claimants) collectively bring their cases to court against a Defendant. These victims then fight together to achieve compensation in the High Court of Justice.

The benefits of group action claims

Group action claims are becoming far more common in the UK. Here are just some of the reasons why:

  • Strength in numbers. Starting a claim can be frightening, and it’s not unusual for people who have perfectly valid complaints to be put off due to the risks of going up against a large and well-resourced Defendant. Where cases are very similar, group actions can be a powerful tool and can redress the balance.
  • Save on legal costs. By joining together, individuals can share the risks and costs of claiming compensation. Legal advice is also shared, so not everyone in the action needs to pay for their own solicitor.
  • Help victims with smaller claims. Group actions provide a way for people with more modest cases (that may not justify legal fees) to claim the compensation they deserve. Often, solicitors will agree to take such cases on a no-win no-fee basis.
  • You might not have to go to court. Usually, a Lead Test Case is started, and common issues are tried. The result of this case is then used as a precedent for other cases in the action; so every single claim doesn’t have to be taken to court.

 

Who can make a data protection group action claim?

In data breach cases, the Information Commissioner’s Office (ICO) investigates any reported breaches and has the power to impose hefty fines. If the ICO believes that an organisation broke the law, this information can be used in court to support a group action claim.

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, and the ICO finds that the organisation did indeed break the law, you have a right to claim compensation. However, in many cases, where a breach occurs, you won’t be the only person making a claim. In such circumstances, it is often worth joining a group action claim.

However, before you can join a group action, the court decides whether claims can be grouped together. Where approved, a group litigation order (GLO) is created which grants permission for group action proceedings to begin.

In many cases, people start to think about joining a group action before the court has issued a GLO, or even before an organisation has been found guilty and fined by the ICO. For example, at Hayes Connor Solicitors, having witnessed an influx of queries from clients who have received letters from Equifax informing them that their data may be at risk following the latest hack, we are currently building a secure database of victims who want to seek compensation for damages or distress suffered. If Equifax is fined, we will let people know when their claim for compensation can be made and help them get the compensation they deserve.

 

Does everyone in a group action claim get the same amount of compensation?

No. Just because your case is part of a group action doesn’t mean that you will receive the same amount of compensation as everyone else.

All claims within a group action are settled based on their merits, and, as with any case, the value of your claim depends on the extent of your suffering. So if your claim is successful, you will receive what you are owed.

CONTACT US TO FIND OUT MORE ABOUT MAKING A GROUP ACTION CLAIM

The Morrisons data breach. Why is it so important?

The Morrisons data breach. Why is it so important?

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. The judgment, which has huge implications, has received a lot of press attention. But why is it so important? And what can you do if you are the victim of a data breach?

What happened?

In 2014, Andrew Skelton, a disgruntled employee at Morrisons, published the payroll data of almost 100,000 Morrisons staff online. As well as salaries, the data included bank account details, national insurance numbers and dates of birth. He also sent the details to various newspapers, but they did not publish the data and Morrisons was informed of the breach.

Morrisons took immediate action to remove the data and alert the police, so it was only available online for less than 24 hours. Nevertheless, Mr Skelton was sentenced to eight years in prison for the criminal act. But Mr Skelton wasn’t the only one to face the consequences of his actions. In 2015 – in the first group litigation of its kind in the UK – 5,518 people brought a claim against Morrisons under the Data Protection Act 1988, for misuse of private information and breach of confidence.

What is a group action claim?

With a group action claim, you and the other Claimants collectively bring your cases to court against a Defendant. Where circumstances are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim.

However, just because a case is part of a group action, this doesn’t mean that everyone will get the same amount of compensation if successful. All claims within a group action are still settled based on their merits, and you will receive what you are owed.

What was the outcome?

In December 2017, despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was primarily liable for its own acts and omissions (such as not ensuring the proper security measures to protect the data). The judge also ruled that Morrisons was “vicariously liable” for Skelton’s actions. In a workplace context, an employer can be vicarious liability for the actions of its employees, as long as it can be shown that they took place in the course of their employment.

Why is the case so important?

While this case is the first of its kind in the UK, it’s not expected to be the last; especially with the GDPR due to come into effect later this year. Further extending data protection rights, companies must do more to protect the information they hold.

The decision to hold Morrisons vicariously liable is also important, as it gives victims more opportunities to seek compensation (companies are more likely to be insured against such liability than employees). However, the Court has granted Morrisons permission to appeal the vicarious liability decision, which is good news for the business as the current decision might make the business an accessory in Mr Skelton’s criminal activity.

The decision has even wider reaching implications. Until now, a person who suffered damage might have had their compensation increased to take into account any associated distress, but in most cases payment would not have been awarded for suffering alone. However, this case has paved the way for those affected by data breaches to claim damages for distress, even if they have not suffered any financial loss. And that could be huge.

What can you do if you think your data has been breached?

If you think you are a victim of a data breach, contact Hayes Connor Solicitors ASAP. We’ll advise you on whether you have a valid claim, answer any questions you might have and go through your options with you.

We can contact the organisation in question, and use any information provided by the Information Commissioners Office (ICO), to check if you have had your data breached (if the company has not admitted as much already). Once we have established that your data has been breached – and the extent of this failing – we’ll start the claims procedure on your behalf; often on a no win-no fee basis. Where multiple people have been affected by a violation, we also make group action claims.

We understand that making a compensation claim can be stressful; especially where your sensitive information has already been breached, so, our process is fully compliant with ICO guidance, and we never put your details at risk. We also remove the jargon from the process and make sure you always know what’s happening with your case.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.

,

Morrisons employees data breach victory

The recent judgment in the Morrisons data breach case concerning the vicariously liability of employers for the actions of employees involved in  breaches of data is potentially highly significant for the insurance industry – both for the insurer and the insured.

 

The group litigation claim which was brought against the supermarket chain arose from a situation where a rogue employee placed on the internet the personal and sensitive data of other employees he had gained access to when playing a part in auditing the payroll of the business. The rogue employee was subsequently  convicted and received a substantial term of imprisonment for his criminal acts.

 

The basis of the claim against Morrisons was founded upon three causes of action – breach of statutory duty under the Data Protection Act 1998; misuse of confidential information and breach of confidence. It was asserted by the employees of the company that Morrisons was liable for the actions of their employee either directly and/or on a vicarious basis.

 

The High Court ruled that Morrisons were vicariously liable for the actions of their rogue employee on the basis of the “social justice” principle due in part to the connection and control that the employee had on behalf of his employer of the leaked sensitive data.

 

Whilst all cases in this field must be viewed on a fact specific basis, the potential impact of this ruling on employers is considerable as it extends their risk of exposure to liability for the actions of their employees when they have committed illegal acts without their knowledge.

Group action litigation involving thousands of claims brought against a company is not cheap to defend through the civil courts and also if not defended successfully, will lead to substantial payments of damages.

 

See what others have to say about it

The Telegraph

Sky News

 

If your employer has put your data at risk or you want more information about how to claim then contact us via our secure form.

equifax data breach even worse
,

Equifax data hack letter – What to do next

If you are one of a number of people who has received a letter from Equifax tell you that your data has been involved in the Equifax data hack you may be worried and unsure what to do next.

Firstly. Its important for you to know that the FCA is now investigating this matter.

The good news for consumers is that the FCA has considerably more powers that the ICO and so this ensures that the matter is being treated seriously.

Secondly, unfortunately you are not alone its estimated that up to 400,000 people in the UK may have been affected by the Equifax hack.

Thirdly – We are looking into starting a group action claim to better protect the individuals affected.

If you want to be part of this claim or you would like more information then register with us via our secure form.

You can also call us if you have any questions about the process.

Once you have registered with us:

  • It’s important to keep a ‘diary’ or note of events since the hack – for example has your card been used without permission?
  • Are there transactions that you bank have picked up that you haven’t made?
  • Are you getting more ‘spam’ or junk email – With your name on? -I so create a folder and keep it – this may be relevant
  • Are you anxious or worried by the thought of people being able to access your data? Has this caused you any distress?

We will keep you updated about any new breaches via our facebook page and newsletter and also notify you when we know more about the equifax hack.

 

equifax data breach even worse
,

Equifax hack – More information

Equifax Data Hack – More information…

In December the FCA (Financial conduct authority) confirmed that they are investigating Equifax over the massive data hack.

Over 100,000 UK customers may have been affected by this hack.

We are still hearing from clients who are only now receiving letters from Equifax.

We would urge you to check your post and email and if you do get a letter contact us for further advice about what to do.

You are entitled to some level of compensation for this hack of Equifax.

If you want more information or to make a claim contact us today via our secure form

Once registered with us or if you have received a letter:

  • It’s important to keep a ‘diary’ or note of events since the hack – for example has your card been used without permission?
  • Are there transactions that you bank have picked up that you haven’t made?
  • Are you getting more ‘spam’ or junk email – With your name on? -I so create a folder and keep it – this may be relevant
  • Are you anxious or worried by the thought of people being able to access your data? Has this caused you any distress?

We will keep you updated about any new breaches via our facebook page and group and also notify you when we know more about the equifax hack.

To register your claim today visit our secure data breach form