Of the more likely places to expect a seminal cyber security incident, a British supermarket would not be most people’s first choice. Yet supermarket Morrisons stands at the precipice of a legal decision that could well carry long term implications for how UK cyber security operates in the future.
The facts of the case are quite simple. In early 2014, a dissatisfied employee – Andrew Skelton – motivated by what was believed to be a grudge against his bosses following internal disciplinary proceedings against him, chose to leak the payroll data of Morrisons staff. This data included the salaries, bank account details, National Insurance numbers, and dates of birth of around 100,000 staff was dumped online via a file sharing site. Further personal information including home addresses, tax codes, and telephone/mobile numbers were included in the data as well.
To most businesses the story is simply that a dissatisfied employee has breached his trusted position within a business, committed a criminal act and been caught in the process. Skelton was subsequently sentenced to eight years in jail in July 2015 for breaches of the Computer Misuse Act (1980) and the Data Protection Act (1998). This and the fact that Morrisons was also awarded a compensation payout of £170,000 would appear to validate the view that Morrisons was simply the victim of an isolated criminal act by a then trusted senior internal auditor; other employees of Morrisons thought otherwise.
Since 2015 more than 5,000 Morrisons staff have engaged their employer in a collective lawsuit for compensation against the company, effectively arguing that Morrisons should hold vicarious liability for the actions of Skelton. Since then, Morrisons has been on a losing path of court verdicts that could carry huge ramifications for corporate liability to data breaches and cyber security.
An initial court verdict indeed found Morrisons liable, and on appeal the UK High Court upheld the decision on 22nd October 2018. Since then it has been a waiting game to see if permission would be granted for Morrisons to appeal at the Supreme Court. This was granted in April 2019, with a final decision set to be reached before the end of 2019.
If the verdicts of Morrisons’ liability are upheld, there are significant consequences for the future of UK cyber security, four of which will be considered here:
A precedent that companies will hold liability even in situations where an employee has committed a malicious illegal offence
The Skelton case initially appeared as simple as a rogue employee who choose to commit a criminal offence, and has been sentenced accordingly. The court’s view however that internal processes at Morrisons did not adequately account for Skelton’s motivations following disciplinary proceedings, in fact created a substantial link between his actions and employment to warrant vicarious liability.
The role of adequate processes within all businesses to handle appropriate access to data following disciplinary hearings is clearly a core lesson to be learnt from the Morrisons case. It will not be a sufficient defence for companies to declare a criminal act has been committed, if processes failed to anticipate the risk that employees like Skelton pose.
Should the verdict be upheld, UK businesses will find themselves in the position of needing to demonstrate no substantive link between an employee’s actions and their employment. The solution to this will rely on robust internal processes to reduce and remove the possibility of criminal acts being committed in this manner again.
2. The cyber insurance market will likely be gifted a benchmark in data compensation on which to base future policies
The big winner of the Morrisons case will not be those Morrisons employees themselves receiving compensation, instead it is more likely to be the cyber security insurance market as a whole. So far insurers have struggled greatly in identifying robust methods for underwriting cyber security, as well as calculate how compensation would work depending on the severity of the incident in question.
A Supreme Court verdict that sees Morrisons lose will provide a legally imposed benchmark for data breach compensation in the UK. The best insurance comparison in this instance is with personal accident coverage, whether one refers to cyclists or other types of cover, the insurance market for personal accident has evolved to a mature model of payout depending on the injury. Basic injuries carry low payout, more severe injuries requiring time off work and even life changing circumstances receive much higher payouts. Currently such a model does not exist in cyber security in general, or data breaches in particular.
A Morrisons loss will see a price per person payout benchmark set based on some of the most severe data an individual can lose, their financial information. This benchmark will allow insurers to follow the lead of UK courts and set their policy payout points from that level of severity downwards. If a data breach includes only basic information like a person’s name and email address, a low payout is likely. If the data includes financial or private health data, the payout level will be much higher indeed.
3. UK courts will likely see many more collection actions for data breaches
If the Morrisons verdict is upheld, there are sure to be further cases brought against companies operating in the UK who suffered data breaches. Whether such cases operate under the previous Data Protection Acts of nascent GDPR, should Morrisons be found vicariously liable then it is a reasonable expectation that UK courts will find themselves very busy indeed.
Another avenue to consider will be this, now that the PPI deadline has passed in the UK, it is likely that the many compensation support companies who now find themselves out of work, but still commanding a large workforce and infrastructure, will pivot to a focus on data breach compensation claims.
The scenario is less likely to be like the Morrisons staff who brought a collective action themselves against their employer, but more likely former PPI compensation companies now operating to bring compensation claims for data breaches on behalf of their new clients. This will be on both small scale cases and as collective actions.
4. Finally, the executive boards of all companies need a new conception of how to calculate their liabilities relating to a cyber security incident.
One fact that should perturb the executives of UK companies is the timeline that Morrisons has faced. For an incident that occurred in early 2014, with a successful conviction achieved by July 2015, in 2020 that company faces the spectre of huge payouts to almost 100,000 people. It is clear that the costs and liabilities of a cyber security incident extend far beyond the immediate impact of the event itself.
Company leaders and executives must now begin to calculate the full and true costs of what a cyber security incident can be. The days when consideration to investment in Incident Response and Forensics might have been enough are long gone. The full range of costs for a cyber incident must now also include prolonged litigation and the possibility of payouts based on liabilities.
The sad truth now facing UK companies is that even if the business survives the immediate impact of cyber security incidents such as a data breach, the costs that come may not even become clear until several years later.
In conclusion, the Morrisons case is a fascinating study in UK cyber security, one that depending on the UK Supreme Court’s decision this winter, could well prove to be a watershed moment in this country. What the case has shown with absolute clarity is that no business can afford to allow its internal processes to be exploited by criminal intent, because that company may well still be liable.
The ramifications of the Supreme Court’s decision will extend far beyond Morrisons itself, into the cyber security insurance market, other data breach cases, and to how business executives fundamentally calculate their liability to a data breach. Yet it is also reveals a basic truth that all businesses need to remember, that while cyber security presents many genuine complicated challenges for all businesses to face, the Morrisons case has shown above all how unimportant technology was, and how incredibly important internal processes are in preventing harm from coming to 100,000 employees.