This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here


Financial institutions beware: cybersecurity lessons from the Wm Morrisons Supermarket case

Andrew Dinsmore has published a further article on cybersecurity breaches in the Journal of International Banking and Financial Law, (2018) 11 JIBFL 693, titled ‘Financial institutions beware: cybersecurity lessons from the Wm Morrisons Supermarket case'. The article considers, in depth, the High Court and Court of Appeal judgments in Various Claimants v Wm Morrisons Supermarket Plc (First Instance: [2018] 3 W.L.R. 691; Court of Appeal: [2018] EWCA Civ 2339). 

This is an interesting case for those practicing in cybersecurity failures as it concerned a disgruntled employee publishing the data of nearly 100,000 personnel working at Morrisons and a group action by a number of those employees against Morrisons for liability under the Data Protection Act 1998 (“DPA”), for breach of confidence and for misuse of private information. 

The key points of interest are that Morrisons were vicariously liable for the actions of the disgruntled employee, were in breach of Sch. 1 para 7 of the DPA for failing to have ‘appropriate technical and organisational measures’ in place (although this did not cause any loss and thus there was no liability) and were liable in the torts of breach of confidence and misuse of private information, which the Court of Appeal held existed alongside the DPA. Further, at §77 of the Court of Appeal judgment, the court gave a stern warning that companies should have appropriate insurance in place if they wish to avoid ruin over such breaches.

Whilst the GDPR came into effect in May 2018, there continues to be numerous data breaches relating to events prior to its implementation (including recently the British Airways, Cathay Pacific and Marriott data breaches) such that case law on the DPA will continue to play an important role in future litigation on data breaches. In any event, it is likely that the courts will have regard to the DPA case law when construing the provisions of the GDPR such that it will remain relevant even when the DPA is not directly engaged. 

Andrew is currently acting for the claimants in a group action against British Airways and against Cathay Pacific following their high-profile cybersecurity breaches last year and this article follows on from a number of other articles Andrew has published in this area including 'The legal implications of cyber-security breaches for financial institutions' [2017] 11 JIBFL 676 and 'Cybersecurity litigation: jurisdiction, applicable law and class actions' [2018] 8 JIBFL 505.

A copy of the article is attached.

Relevant members: 
Morrisons JIBFL Dec 2018.pdf511.88 KB