In a “landmark” ruling, the English Court has held Morrisons liable for a former employee’s leaking of payroll details of nearly 100,000 staff1. In the action, brought by current and former staff, Morrisons denied liability for alleged breaches of privacy, confidence and data protection laws. The claimants also sought compensation for upset and distress. Morrisons, however, denied both direct and indirect liability and submitted that it had already incurred huge costs as a result of the data leak.

Morrisons has been given leave to appeal. If this ruling is upheld on appeal, a definitive precedent will be set whereby a company may be held vicariously liable for the criminal acts of its staff in instances of data breaches and liable to pay compensation for upset and distress. This could pave the way for many such cases in the future.

According to a study by PwC, only one in ten small businesses in the UK has cyber insurance, in comparison with 16% globally. However, this ruling, coupled with the implementation of the EU General Data Protection Regulation (coming into force in May 2018) as a result of which customers must be informed in the event that their data is stolen, will increase clients’ awareness in respect of cyber exposures. This in turn will mean that companies need to be evermore resilient in the face of the growing potential for cyber actions. PwC has predicted that the global cyber insurance market could increase form $2.5 billion in 2015 to $5 billion in 2018, with an estimated $7.5 billion of premiums in 2020.