Morrisons loses data leak appeal

In our latest blog post, our Regional Director and Head of Sales and Distribution – Commercial, Chris Lennon, considers yesterday’s Court of Appeal judgement in the Morrisons case.

Morrisons could face a hefty compensation bill after the supermarket lost an appeal against a ruling that it is liable for a former employee leaking personal information about 100,000 members of staff.

The Court of Appeal judgment in the Morrisons case was released yesterday (22 Oct) with the Appeal being dismissed.  As a result of this ruling, Morrisons remains vicariously liable and this paves the way for 5,518 claimants to receive compensation in the UK’s first data protection class action.

This case comes after workers’ personal details were leaked online by a senior IT employee, in 2014.  Information including salaries, national insurance numbers, dates of birth and bank account details were also sent to a number of newspapers.

Whilst the individual was jailed for eight years in July 2015 for his actions.  The Bradford-based supermarket was found to be vicariously liable in a landmark case that could prompt companies to limit workers’ access to data.

Nick McAleenan, a partner and data privacy law specialist at JMW Solicitors, who is representing the workers, said: “The judges unanimously and robustly dismissed Morrisons’ legal arguments. These shop and factory workers have held one of the UK’s biggest organisations to account and won – and convincingly so.”

“The judgment is a wake-up call for business. People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information – it’s about protecting people.”

Whilst Morrisons are set to appeal this decision to the Supreme Court, this is clearly a significant moment in the history of privacy liability but perhaps a watershed moment for the role of insurance. In response to the submission that their judgment would create liability of “potentially ruinous amounts”, the Court of Appeal’s only solution was that companies should insure against it.

This highlights the need for businesses to be conscious of the data managed, the manner in which data is accessed and crucially consider the management and safekeeping of first party and third party data as more than an IT issue.  Businesses large and small must examine not only the technology, but the people and processes regarding data management and look to address needs including training, awareness, governance and advice and also consider the benefits offered by a robust programme of insurance including Cyber.

Download Morrisons loses data leak appeal as a PDF.

Talk to us

For more information on Cyber and how you can protect your business, please speak with a member of the award winning Cyber practice at Stackhouse Poland, email or call 0330 660 0401