Data Breach : Compensation claims for mass data breaches

In January 2014, Andrew Skelton, an apparently disgruntled employee of Morrisons Supermarket posted a file containing the personal data (including salaries, bank details, and National Insurance numbers) of 99,998 Morrisons’ employees on a file-sharing website.  It seems his intention was to cause mass-scale damage to the supermarket.  In March 2014, a CD containing the data was sent to three UK newspapers, one of whom alerted Morrisons.  Chief among the company’s concerns was the possibility of the data being used to aid theft or identity theft from the staff concerned.  They acted quickly to get the file removed from the Internet within a few hours.

Skelton was eventually charged with fraud by abuse of position (contrary to section 4 Fraud Act 2006), unauthorised access to computer material with intent to commit or facilitate further offences (contrary to section 2 Computer Misuse Act 1990), and the unlawful obtaining of personal data (contrary to section 55 Data Protection Act 1998).  In July 2015, he was sentenced to eight years’ imprisonment.  At first blush that may seem an extraordinarily high sentence, relative to ‘nastier’ crimes, but it no doubt reflects the potentially enormous damage that such actions can cause.

Some 15 months later, in October 2017, the High Court heard the trial of civil compensation claims brought against Morrisons by 5,518 (approximately 5.5%) of the employees affected.

Compensation claims for data breaches are nothing new.  Hundreds of such claims are threatened each year, usually by individual claimants.  We alone have advanced more than 50 such claims (against corporate defendants or arms of the state) over the past three years.  In many instances (including the Morrisons case) data breach claims will be run alongside claims for the misuse of private information and/or breach of confidence.  The same facts will often (but not always) give rise to all three claims.  Perhaps the most famous ‘privacy’ claims – the ‘phone hacking’ litigation against News Group and Trinity Mirror, did not see concurrent claims brought under the Data Protection Act – although there is no obvious reason why the papers would not also have been liable under the DPA.

The data breaches are often the result of innocent mistakes by otherwise well-intentioned members of staff.  Examples include:-

• paperwork, discs, and flash drives dropped in the street or on public transport, as people take work home, or between sites.
• emails sent to multiple parties using the ‘To’ or ‘CC’ fields, rather than the ‘BCC’ field.
• requests for data being responded to carelessly (e.g. sending of irrelevant, as well as relevant, information).
• failures to obtain necessary consents e.g. wrongly assuming that an individual is happy for information to be shared with their family.
• accidental publication of material online.

Less common are occasions where the breaches are deliberate.  These tend to arise either from idle gossip or where there is some improper motive for personal gain.  Examples of the latter include the pursuit of financial, political, or even romantic ends.

For commercial reasons as much as anything, the majority of data breach claims are settled at an early stage, often prior to the commencement of proceedings.  Damages (compensation) will often be limited to distress.  There is some debate about whether distress should be judged solely on the ‘egg-shell skull’ principle (take your victim as you find them) or whether there must be some objective rationality to the feelings arising.  There is also debate about whether awards will necessarily be higher if the data has been deliberately exploited, as opposed to an accidental breach.  Because of the relative lack of authorities (i.e. cases resulting in awards of damages by the Court) and the temptation for defendants to reach an early settlement, the level of damages secured varies widely from one claim to the next.  Of the 50+ data protection claims that we have pursued, damages received by individual victims have ranged from as little as £750 to £35,000 (these figures exclude cases involving deliberate breaches - e.g. phone-hacking).  There is generally little for a defendant to gain by contesting the claim to trial and a sensible defendant will make a reasonable offer at an early stage.  Equally, uncertainty about damages awards has been an incentive for defendants to settle as much as it may have deterred some claimants from pursuing claims.

The Morrisons data leak involved what, back in 2014 at least, was considered an unusually large number of individuals.  Since that time there have been many much-publicised data leaks involving TalkTalk (2015), Ashley Madison (2015), Three (2016), Uber (2016), Bupa (2017), and Equifax (2017), amongst others.  The Yahoo! leak reportedly involved over 1 billion people, but although that took place in 2013, it was not reported until 2016.

With the potential number of Claimants standing at close to 100,000, conceding liability would have had dire consequences for Morrisons.  Even if each individual claim were worth a mere £500, total liability would potentially extend to £50,000,000 (with significant administrative, and legal costs on top).  Moreover, they likely felt that their position was uniquely invidious, because the motivation behind the data breach had been to harm Morrisons itself.  The Information Commissioner’s Office, which investigated the matter, took no action against Morrisons.

After a number of individuals sought to bring claims against Morrisons, a Group Litigation Order (GLO) was applied for.  GLOs allow the Court to centrally manage large numbers of claims in which the claimants share the same interest.

The trial, and the resulting Judgment (Various Claimants v Wm Morrisons Supermarket PLC [2017] EWHC 3113 (QB)) , involved a number of interesting issues for practitioners in this area.  From a lay person’s point of view, however, the ‘result’ was that the Judge found that Morrisons were not directly liable for Mr Skelton’s wrongdoing, but that they were vicariously liable.  In other words, although Morrisons were not at fault, they are liable to compensate the claimants.  The Judgment is currently the subject of a pending appeal.  However, for as long as the decision remains, it means that there are likely to be far more GLOs, and, in all likelihood, defendants will be forced to set up compensation schemes in order to prevent mass litigation and keep costs controllable.  That will be a good thing for prospective claimants who feel they deserve redress, but would perhaps would have baulked at the idea of entering into major litigation.

If you have been a victim of a data breach and wish to take legal action click here to see how our specialist privacy solicitors can assist.