Data Breach Compensation: The New PPI?

By Phil Brining

The decision in the High Court relating to the theft and publishing of the supermarket giant Morrison’s payroll data by a rogue employee throws up interesting points about liability in the event of data loss.

In December 2017 Mr Justice Langstaff ruled that the technical and organisational controls in place to guard against data loss were sufficient for Morrison’s to not be primarily responsible for the leak but that they were vicariously liable for the actions of their employee. The judgement was critical of over-retention of data by Morrison’s but ruled that in permitting [Mr] Skelton to have the data Morrison’s were not in breach of the 7th data protection principle and that no reasonable controls additional to those already in place would have prevented [Mr] Skelton’s criminal misuse of the employee data . We must deduce that as there was no breach of the 7th data protection principle it seems unlikely that the ICO will fine Morrison’s and we await with interest the next step in this saga noting with a shudder that if compensation is awarded to the employees against Morrison’s, it could run to £ millions given the volume (100,000) of records that were misused.

While this is the first time in UK legal history that a class action has been brought against a data controller for data breach, it is not the first time that compensation for distress brought about by unlawful processing of personal data has been awarded (see Woolley v Akram and Google v Vidall Hall). In Woolley v Akram the plaintiffs were awarded £8,500 each!

We have been stressing for some time that compensation will create a huge pressure on organisations to comply with the GDPR which is likely to be more effective than the fines regime and we have been predicting for many months that data breach compensation will be the new PPI. To emphasise the point just take 25 seconds to Google “data leak lawyers” … but make sure you are sitting down first!

Contact Us

Send us a Message









Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
PCI DSS
ISO27001/27701
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System
Other

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.