A costly Big Data breach at Morrisons

In an age where data is increasingly centralised and managed digitally, staff data (including financial and sensitive personal data), which is not adequately protected by employers, is becoming more susceptible to falling into the wrong hands and being distributed for the wrong reasons. There is a positive obligation on employers to look after such data and an ensuing data breach could prove costly for an organisation, says Razia Begum of Taylor Vinters.

 

The recent conviction of former senior internal auditor at Morrisons’, Andrew Skelton, for leaking personal details of supermarket staff is illustrative of this. Mr Skelton was jailed for eight years in July 2015 for leaking information (including salaries, National Insurance numbers, dates of birth and bank account details) of around 100,000 staff to various public data-sharing websites and newspapers. The Crown Prosecution Service has clearly demonstrated that it will, without hesitation, prosecute those who wrongly obtain and use personal data and where the potential loss to the victims and quantity of personal data are significant.     

This big data breach at Morrisons’ Bradford head office cost the company a staggering £2million to rectify, not to mention the reputational damage and embarrassment suffered. Morrisons has also stated that it has offered identity theft protection to all affected employees, which no doubt came at another significant cost to the company.   

The Morrisons breach is a stark reminder to employers to have in place effective data protection and fraud prevention (in relation to confidential data as well as revenue) policies, which are implemented and enforced as required. The processes and procedures within such policies should also tie into the organisation's HR policies and provide for regular awareness training, for example, the key dos and don'ts of compliant big data usage. Companies should also ensure they have appropriate policies in place in respect of “bring your own devices” (or BYOD) and remote working, both of which can significantly increase the chances of a data breach. Although prevention is better than cure, in a digital era breaches are unfortunately almost inevitable (however big or small). Companies should also therefore have robust emergency response plans in place ready for execution should a (significant) data breach occur (e.g. to have the ability to immediately take down data and avoid further losses). In the case at hand, it could have cost Morrisons millions of pounds more had it not rapidly responded to the breach and removed or retrieved the staff confidential data from the internet and newspapers, which ultimately helped prevent third parties from using the data at the expense of the staff (e.g. for bank fraud).

Unfortunately for Morrisons that is not the end of the story. Over 2,000 current and former staff are preparing to sue the company alleging that it was responsible for breaches of privacy, confidentially and data protection law. The success of the case for the victims will largely depend on the degree of financial loss suffered by them as a result of the data breach. Morrisons intends to contest the case and is claiming that it is not aware of any financial loss having been suffered by staff. Arguably, however, the damage has already been done from Morrisons’ view, given the significant costs and time involved, together with the negative media attention received, in discovering and rectifying the breach in the first place.   

For more information, please speak to Razia Begum on +44 (0)20 7382 8025.

______________________________________________________________



Looking for something specific?