[BreachExchange] This Is What The Morrisons Data Leak Class Action Means For Future Breaches

Destry Winant destry at riskbasedsecurity.com
Tue Oct 23 00:00:34 EDT 2018


UK supermarket Morrisons is facing a massive payout to staff after
losing the first data leak class action in the UK. It comes after
Andrew Skelton, a senior internal auditor at the retailer's Bradford
headquarters, leaked employee data online in 2014. Last year, a court
ruled the firm was liable for his actions.

The company appealed the decision, but today (22 October) a UK High
Court ruling found the supermarket giant liable for the data breach
that saw nearly 100,000 of its employees' sensitive details including
salary and bank details posted online. Those affected can now claim
compensation for "upset and distress".

The leak does not come under the EU Update to General Data Protection
Regulation (GDPR), but it shows the huge cost of a data breach going
forward. This can include class action by "interested parties" –
including shareholders and victims of the breach.

“It will be interesting to see how the precedents set by the ICO and
FCA on breached firms will shape the litigation of class actions
moving forward,” says Ian Thornton-Trump, head of cybersecurity,
AmTrust International.

He says regulators are "fed up" with firms being breached, especially
"when they find it was easily preventable". Meanwhile, banks and
insurance firms don't want to continue to pay out for easily
preventable data breaches, he adds.

He thinks the future will see class action being supported by a
regulatory finding and fine. “In a way, an egregious regulatory fine
and specific charges of negligence, lack of due diligence in data
protection or botched breach notification will really stoke the fires
of a class action, because the evidence of incompetence will be
readably available.”

Thornton-Trump thinks it will make the "discovery" process of class
action move along at a much faster rate. “The regulatory agency will
need to produce a comprehensive ‘chronicle of shame’ to support any
significant fine or penalty. It will be a very symbiotic

It will also be an interesting “test case” from a US perspective. “It
may even embolden more class actions in an already pretty litigious
data breach environment,” Thornton-Trump points out.

“It serves as another large and unknown potential data breach cost
that needs to be factored into the corporate risk assessment.
Certainly, in the case of shareholder class actions armed with a
comprehensive report from regulators, the executives at a firm may
find themselves in for a very expensive and precarious career

At a time when cyber-attacks happen every day and increasingly in the
public eye, it’s a huge blow for reputations, too. “This could not
come at a worse time for Morrisons, when grocery firms in the UK and
around the world are in deep competition with each other,” says
Thornton-Trump. “The breach clean up, regulatory action and class
action lawsuits are revenue and reputation hits which could be
catastrophic in low margin, highly-competitive market places.”

More information about the BreachExchange mailing list