The Morrisons Case – Data Protection Breaches and Liability

23rd January 2018Two people having a meeting on bench with a Laptop open and a tablet being used.


When are you liable for a data breach? How will this change when the new UK Data Protection Bill and the General Data Protection Regulation (GDPR) come into force later this year?

These are the questions particularly hot in the press as the Morrisons Data Breach (2014) case continues to be investigated in UK courts…

On the 12th of January 2014, supermarket giant Morrisons suffered a sizable data breach when a file containing 99,998 of Morrisons’ employee’s personal details was uploaded onto a file sharing website. The file was also loaded onto a CD and sent to 3 UK newspapers. It was the newspapers that alerted Morrisons to the breach, and despite a gallant attempt to contain it, vulnerable data that included the names, national insurance numbers, addresses, dates of birth, telephone numbers, bank account and salary details were successfully leaked all over the internet.

The files were leaked by recent ex-employee, Andrew Skelton, a senior IT Auditor at Morrisons. It is believed that he held a vendetta against the supermarket giant after he had been suspended from employment and felt he hadn’t been treated fairly.

In the first instance, the matter was treated as a civil case and Skelton was sentenced to 8 years imprisonment.

However, following the sentencing, 5,518 of the individuals whose data had been leaked, brought forward proceedings against Morrisons themselves, on the basis that although Skelton held primary liability for the data breach, Morrisons should be held liable for Skelton’s actions. This type of liability is called vicarious liability (or secondary liability).

So, although Morrisons were not directly liable for the data breach, they are now facing the bill for any compensation awarded to the claimants who suffered as a direct result of it.

The courts will look into the harm that the data breach caused on an individual level to determine the claim pay-outs, but the value of each compensation claim is predicted to average a few thousand pounds per individual affected.

Morrisons could be facing fines that will total around £16.5 million for a data breach they weren’t found directly liable for.

How could the new Data Protection laws impact verdicts like this one?

Yes, you’ve guessed it, it is very likely that the GDPR and the new UK Data Protection Bill (UK DP Bill) will readdress these issues. Under GDPR, any person who has suffered ‘material or non-material damage’ due to a breach of the regulation has a right to compensation from the data controller or the data processor, to compensate for any damage suffered. Thereafter, following the implementation of the new legislation, it will be easier to prosecute for vicarious liability. In addition, both the GDPR and UK DP Bill extend the ability of data subjects to take proceedings following a security breach. Conclusively, it is very likely that we will see much more of this type of action being taken against employers in the near future.

In fact, the solicitors who brought forward these proceedings are already trying to progress at least another two cases, similar in nature, against a bank and an insurer and are scouting for other cases to come forward too…

We can be sure that this is, at the very least, going to be a part of the new GDPR enforcement regime. If the Morrisons case highlights anything, it is that the GDPR will be more heavily enforced.

How do you protect yourself from vicarious liability?

Even for SMEs, claims resulting from a vicarious liability breach could have heavier financial implications than we ever anticipated. The Morrisons case has highlighted that dealing with a data breach in 2018 is going to involve a lot more than simply meeting the new 72-hour deadline for reporting one.

Steps to take to reduce your secondary liability:

  1. GDPR mapping and planning
    By now your GDPR mapping and planning should be well underway (read more on GDPR mapping here…) not only should you be focusing on the data you hold, obtaining opt-in consents and overhauling your cyber security, but you should be preparing, testing and monitoring to ensure you have a quick response time to reporting and containing data breaches. Do your employees know what to do if they suspect a data breach?
  2. Security measures
    Both the UK DP Bill and the GDPR stipulate that you must have the optimum security measures in place to protect your data. Data encryption, anti-virus software, password protection and active firewalls – if you haven’t reviewed your IT cyber security recently then now is the time to do it. In the event of a data breach, the ICO will investigate, and want proof, that you have taken ample measures to keep your vulnerable data safe.
  3. Data Subject Access Rights
    It is important to police the procedures that enable individuals to access their own data to ensure vulnerable data remains protected.
  4. Policy Reviews
    Now is the time to review your data policies to ensure that any data held, is held compliantly. Data minimisation is an important principle of the GDPR and stipulates that any data you collect or process should not be held or processed for longer than is strictly necessary. (Read more on how to delete unwanted data here…) Griffin House recommend mapping your data to ensure each and every file is accounted for and fully compliant under the GDPR, PECR and new UK DP Bill well before the deadline. Again, in the event of a data breach, the ICO will ask you to provide evidence that you have taken steps towards data minimisation, and are actively protecting your data in-line with the new guidance.
  5. Pseudonoymisation
    Making sure you limit the data your employees are exposed to will undoubtedly protect you from vicarious liability claims. Pseudonymous data is data that is processed in such a way that it can no longer be attributed to a specific individual without the use of additional information. Limiting your employee’s exposure to data in this way means that they cannot access or copy large amounts of data at any one time, reducing your risk of a breach.
  6. Training
    When it comes to Data Protection, training is everything. Are your employees aware of the new data protection legislation? Do they know how to spot cyber security risks? Do you employees know what to do if they suspect a data breach? Training your staff may be the best investment you make in 2018. Find out more about Griffin House’s range of training from bespoke workshops to e-learning basics here…

Ultimately, limiting your vicarious liability involves reviewing your procedures and asking yourself ‘How can I improve my procedures to reduce my risk?’

Don’t delay, begin your preparations today. Please do give us a call if you would like to discuss anything in this article further +44 (0)1673 88 55 33. We love to talk.

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.