Morrisons data breach threatens vicarious liability

In October, the Court of Appeal found Morrisons Supermarkets vicariously liable for a data breach caused by the actions of a disgruntled employee. It is the first successful UK class action of its kind and, if it continues to be upheld, it places the burden for data security squarely on the shoulders of businesses.

The finding comes despite the court recognising that Morrisons had done everything it reasonably could to prevent data misuse and that the employee’s main objective seems to have been to cause reputational or financial damage to the chain. While Morrisons is appealing the verdict to the Supreme Court, the ramifications for businesses who are victims of intentional data breaches by their employees could be hugely significant.

The growing risk of vicarious liability

In 2015, a senior Morrisons IT employee leaked personal information relating to about 100,000 members of staff online, including salaries, National Insurance numbers, dates of birth and bank account details. The class action has been brought by about 5,500 affected employees. While the employee concerned was sentenced to eight years for his part in the data breach, Morrisons denied all legal liability.

However, the Court of Appeal disagreed, despite the fact that Morrisons hadn’t committed a breach of data protection law. It didn’t matter that they were the intended victim or whether they had the right safeguards in place, it said.

This ruling makes matters extremely difficult for risk managers. The amount of personal data being processed by companies continues to grow exponentially, and with the Internet of Things fast becoming a reality and the introduction of 5G mobile data in 2020, businesses will find themselves exposed to ever greater risk of a breach of data protection laws. The advent of GDPR and the subsequent growth in consumer awareness regarding their data rights makes it likely that class actions such as this will become more prevalent as a result.

Morrisons argued that the ruling placed a disproportionate burden on them as an employer to secure their data, and that the potential cost of compliance is dwarfed only by the risk of exposure to claims for compensation by large numbers of victims. The Court of Appeal disagreed, which means risk managers in large and small enterprises alike are left with little option but to find ways of mitigating the risk of civil liability, negative publicity and impact on share price that a data breach could now trigger.

Getting the right cover

The Court of Appeal’s answer to what they termed “Doomsday or Armageddon arguments” was that employers can insure themselves against the risk of a data breach and its subsequent fallout. However, this is a complex issue.

Data breach claims for vicarious liability could be covered by a range of policy types, from cyber insurance to public liability insurance amongst several others. This leaves a significant level of variation in policy wording, complicated further by the fact that some claims may be excluded completely if the data breach was committed by someone senior enough that their intent may be attributed to the company. And should the floodgates open for class action claims in this area, it’s likely that some insurers will increase premiums, while others may remove vicarious liability coverage from their policies completely.

Limiting access to data

The implications for other businesses could be widespread. According to 2-sec, a cybersecurity consultancy based in London, approximately 70 percent of employees have access to data and other critical information that they shouldn’t. They argue that larger organisations should designate someone from human resources to be responsible for ascertaining and continually monitoring each employee’s role and purpose when it comes to company data. For smaller companies, the responsibility should fall on the chief executive, working with their IT company to establish whether employee access is appropriate.

In a similar vein, security expert Michelle Drolet recommends encrypting data at all times, especially anything that’s sensitive. She also suggests dividing data into categories to ensure sensitive data can only be accessed by those with a genuine reason for using it, with authentication procedures to verify the user and audit logs to scan for anything suspicious.

Mitigating loss or harm

Because GDPR now allows for individual victims to be compensated for distress, rather than simple material damage, the amount paid out per claim has the potential to grow. However, even with more than 5,500 claimants in the Morrisons case, there is still uncertainty about the size of the supermarket’s compensation bill if the ruling is upheld. While it will inevitably be painful, Morrisons argued that they worked to remove the data quickly, protected any employees at risk and hadn’t found anyone who had suffered any direct financial loss, so it may be difficult for claimants to demonstrate any harm or loss themselves.

What next?

Morrisons’ appeal to the Supreme Court will mark its third attempt to avoid liability for the actions of a single malicious employee. If it fails, not only will the chain have to pay a hefty compensation bill, but businesses everywhere will be forced to recognise a seismic shift in the level of risk they must mitigate when handling personal data. Regardless of industry, it will remain a challenge to do so while staying both efficient and competitive. But the consequences of failing to adjust are just not worth the risk.

  • About Enterprise Risk Magazine

    Enterprise Risk Magazine is the leading quarterly title for risk managers and enterprise risk, with a print circulation of over 5,500.

    Enterprise Risk is published on behalf of the Institute of Risk Management (IRM). The majority of IRM members receive their copy of Enterprise Risk at their home address, meaning the title... Read more
  • Categories

  • Tags