Guest Blog by Shakira Joyner of HCHR
You may or may not have heard of the Morrison’s data breach case that’s been reported in the media.
In January 2014, Andrew Skelton, an apparently disgruntled employee of Morrisons Supermarket posted a file containing the personal data (including salaries, bank details, and National Insurance numbers) of 99,998 Morrison’s’ employees on a file-sharing website. It seems his intention was to cause mass-scale damage to the supermarket. The chain acted quickly to get the file removed from the Internet within a matter of hours. At his criminal trial, Mr Skelton was jailed for eight years.
At first blush, that may seem an extraordinarily high sentence, more relative to ‘nastier’ crimes, but it no doubt reflects the potentially enormous damage that such actions can cause.
Last year, the High Court ruled that the supermarket was vicariously liable for the data breach and that employees should receive compensation. More than 5,500 claimants are seeking a pay-out in the case, although there has been no indication that anyone has suffered financially from the leak.
Compensation claims for data breaches are nothing new. Hundreds of such claims are threatened each year, usually by individual claimants.
The data breaches are often the result of innocent mistakes by otherwise well-intentioned members of staff. Examples include:
- paperwork, discs, and flash drives dropped in public places, as people take work home, or between sites.
- emails sent to multiple parties using the ‘To’ or ‘CC’ fields, rather than the ‘BCC’ field.
- requests for data being responded to carelessly (e.g. sending of irrelevant, as well as relevant, information).
- failures to obtain necessary consents e.g. wrongly assuming that an individual is happy for information to be shared with their family.
- accidental publication of material online.
Deliberate Data Breach
Less common examples are occasions where the breaches are deliberate. These tend to arise either from idle gossip or where there is some improper motive for personal gain. Examples of the latter include the pursuit of financial, political, or even romantic ends.
For commercial reasons as much as anything, the majority of data breach claims are settled at an early stage, often prior to the commencement of proceedings. Damages (compensation) will often be limited to distress. There is some debate about whether distress should be judged solely on the ‘egg-shell skull’ principle (take your victim as you find them) or whether there must be some objective rationality to the feelings arising. There is also debate as to whether awards will necessarily be higher if the data has been deliberately exploited, as opposed to an accidental breach.
Due to the relative lack of authorities (i.e. cases resulting in awards of damages by the Court) and the temptation for defendants to reach an early settlement, the level of damages secured varies widely from one claim to the next. Damages vary between individual victims ranging from as little as £750 to £35,000 (these figures exclude cases involving deliberate breaches – e.g. phone-hacking). There is generally little for a defendant to gain by contesting the claim to trial and a sensible defendant will make a reasonable offer at an early stage. Equally, uncertainty about damages awards has been an incentive for defendants to settle as much as it may have deterred some claimants from pursuing claims.
Implications for Morrisons
With the potential number of Claimants standing at close to 100,000, conceding liability would have had dire consequences for Morrison’s. Even if each individual claim were worth a mere £500, total liability would potentially extend to £50,000,000 (with significant administrative, and legal costs in addition to this).
Morrison’s have said that it now intends to appeal to the Supreme Court.
If that appeal fails, those affected will be able to claim compensation for “upset and distress”. That will be a good thing for prospective claimants who feel they deserve redress, but would possibly have baulked at the idea of entering into major litigation.
The case is the first data leak class action in the UK.
The judgment has been heralded a “wake-up call” for business according to Personnel Today. People care about what happens to their personal information. They expect large corporations to take responsibility when things go wrong in their own business and cause harm to innocent victims. It’s important to remember that data protection is not solely about protecting information – it’s about protecting people.