Wake-up call from Morrisons’ data breach class action

05 December 2018

UK retailer Morrisons’ failed appeal in the UK’s first data breach class action highlights the potential for costly data breach legislation and the need for specialist cyber insurance.

The class action stemmed from a 2014 data breach, in which the payroll data of more than 100,000 employees was stolen by a disgruntled former Morrison’s employee and published online. Over 5,000 employees then sued the supermarket chain for damages, winning their class action in the High Court last year. In October 2018, the Court of Appeal dismissed Morrisons’ attempt to overturn last year’s ruling, although the case is now expected to go before the Supreme Court.


The case is notable because Morrisons was found liable despite the fact that it seemingly had appropriate data protection controls and bore no criminal responsibility. The breach resulted from the malicious actions of the company’s then IT auditor Andrew Skelton, who was eventually found guilty of fraud and sentenced to eight years in prison.

Both the High Court and Court of Appeal ruled that Morrisons was ‘vicariously’ liable for the breach. Morrisons now faces a potentially large compensation bill, despite acknowledgment that it had taken reasonable steps to prevent the breach and acted swiftly to take down the published data. It also reassured affected employees that they would not be financially disadvantaged.

This case highlights the wide reach of data protection law, according to law firm Herbert Smith Freehills. In this respect, the decision will concern employers who can now be vicariously liable for the actions taken by a rogue employee, even with appropriate safeguards in place to protect employee personal data, it says.


Although the Morrisons data breach pre-dates the EU’s General Data Protection Regulation (GDPR), class actions are easier to bring under the new regime, which provides the right to claim compensation for ‘non-material damage’.

Herbert Smith says the Morrisons’ decision, combined with the GDPR and increased public awareness of data protection issues, could spark a “new wave” of court cases from workers and customers in the event of a data breach. Whilst individuals may not be entitled to significant sums, if the data breach affects large numbers of individuals, the total liability potential for organisations could become commensurately large, it warns.

Law firm Hogan Lovells also says that the GDPR could lead to a greater number of similar collective actions for data privacy breaches in the UK, particularly when combined with claims for breach of confidence and misuse of private information. A number of data breaches have given rise to class actions in the UK, including the British Airways, Facebook and Ticket Master data breaches.

It will be interesting to see the level of compensation Morrisons’ employees receive, given that they have not suffered any known financial loss. Previous cases have established a claimant’s right to seek damages for distress, without the need to prove financial loss to claim compensation. Hogan Lovells says that even if the damages awarded to each affected employee are individually small, given the number of employees involved, the financial implications for the business are potentially huge.


In response to concerns that a large data breach could be potentially ruinous for a company, the Court of Appeal suggested that organisations consider buying insurance:

“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees…”


The Morrisons data breach class action serves as a wake-up call for businesses. Even when a company takes reasonable steps to protect data, they can still be held liable for the loss of personal data. At the same time, those affected by a data breach are increasingly seeking compensation, even when they have not suffered financial damage.

The Morrisons case, combined with increased consumer rights under the GDPR, clearly point to an increase in third party liability for data breaches. To date, business interruption has been the main driver for purchasing cyber insurance in Europe, but with changes in the legal environment and the emergence of data breach class actions, liability is likely to emerge as a significant and important change.

Download cyber decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on cyber@jltgroup.com