Supermarket chain Morrisons has been found liable after a disgruntled employee leaked thousands of employee’s payroll data.
Housing Association Cyber Risks

Supermarket chain Morrisons has been found liable after a disgruntled employee leaked thousands of employee’s payroll data. Currently subject to an appeal, this case, the first of its kind in the UK, means that Morrisons will have to pay compensation to the affected employees.

Current and former workers of Morrisons brought a claim against the supermarket after a disgruntled employee deliberately leaked the personal data – including salary and bank details – of nearly 100,000 staff both online and to newspapers. The data theft meant that 5,518 former and current employees were exposed to potential identify theft and financial loss.

The employee was jailed for eight years in 2015 after being convicted of fraud, securing unauthorised access to computer material and disclosing personal data.

In spite of incurring more than £2 million in breach response costs, the High Court ruled in the civil case that Morrisons was vicariously liable for breaches of privacy and confidence as well as data protection laws. It ruled that the supermarket must pay compensation for the upset and distress caused by this breach.

This is a landmark case as it means that other employers could be held liable for criminal misuse of third-party data caused by an employee even if they were not implicit in the breach.

What are the risks?

With extensive data on tenants and employees, housing associations could be susceptible to data breaches. Amongst the risks this case highlights are:

  • The costs of notifying affected customers, offering credit monitoring and setting up call centres for concerned residents
  • Fees for a forensic identification of the reason for the breach as well as potentially blocking the hacker or removing the malware from your systems
  • Legal costs if any regulatory action is taken
  • Costs and compensation awards for affected residents or employees

What can be done?

This first line of defence against this kind of threat is simply to have a robust set of procedures that ensure everybody understands their role in the management of data. Simple precautions such as regularly changing passwords are easy to implement and effective.

The second line of defence lies with your IT department who should have the most up-to-date anti-virus and firewall protection.

The third and final line of defence is a comprehensive insurance programme that has been tailored to incorporate new risks such as those highlighted by the Morrisons case.

Cyber liability insurance is one option as it covers breach response and regulatory defence costs, incorporating security and privacy liability including as a result of information on your website and social media. It also includes cyber extortion. Operational insurance is another option which covers business interruption, data restoration and income loss while cyber-crime cover helps to protect you against fraud and the theft of your funds by a third party