In a decision last year the Court of Appeal found that Morrisons was liable to over 5,500 of its employees for the actions of a rogue member of staff who had deliberately leaked their personal data. The decision may seem harsh on Morrisons, and is being appealed in the Supreme Court.
The amount of damages to be awarded to the claimants in the case has not yet been decided, but the decision will be awaited with much interest as it will hopefully provide some much needed guidance on how much claims of this kind are usually worth.
Whilst many have heard of the significant damages awarded in the high profile phone-hacking breach of privacy cases, these tend to be the exception rather than the rule: most awards are usually fairly modest. An often cited case is the decision in TLT and others -v- The Secretary of State for the Home Department and the Home Office, where six asylum seekers brought claims after personal data about them was inadvertently published on the Home Office website. They were awarded damages of between £2,500 and £12,500 each. In that case, some of the claimants were in genuine fear for their lives, suggesting that these awards would be at the higher end.
Notwithstanding this, the highly publicised “celebrity” cases do add to the public’s wider awareness of privacy / data breach claims, and this can result in an increased number of claims being brought against businesses if issues do arise. Even low level data breaches can have a significant impact on businesses where a large number of individuals are affected. The Information Commissioner’s Office can also impose fines for data breaches, which can further increase the liability of businesses for such incidents.
What Should Businesses Be Doing?
Whilst we wait for the decision on the value of the Morrisons claims, the potential financial impact on businesses for privacy and data breach claims is likely to remain uncertain. Businesses should take steps to manage the risks involved in potential data breaches and know what to do if one arises.
- Review your business’ data governance policies and procedures.
- Check your business’ current insurance arrangements to ensure you have appropriate cover in place to deal with any incidents effectively.
- If a data breach does occur, obtain advice promptly stage to manage the risks involved and communicate appropriately with those affected, stakeholders, insurers and regulators.