We use cookies to make your experience of our website better. Some of these are set by third party Google Analytics to help us analyse website traffic. To comply with privacy regulations, we require your consent to set these cookies. If you continue to use the site without selecting an option we will assume you are happy for us to use cookies.

Could new data breach laws be set to impact on corporate Scotland?

Could new data breach laws be set to impact on corporate Scotland?

The financial risk for business presented by serious data breaches is now even more apparent due to the recent Court of Appeal decision against supermarket chain Morrisons.The issue will have particular relevance in Scotland in the coming months because of a new group action mechanism which is designed to make it easier to bring group claims like the Morrisons one. This may affect any businesses with operations or customers in Scotland.

The Court of Appeal confirmed that Morrisons was vicariously liable for the data breaches of an employee. This despite the fact that Morrisons had “provided adequate and appropriate controls” and the data breaches were committed by a rogue employee. Perhaps unsurprisingly, Morrisons is appealing the decision to the Supreme Court.

The case highlights the risk that data security poses even for well-prepared organisations, including the time and cost of the internal investigation and clean-up, action by the regulator, reputational damage, and private claims such as those against Morrisons – the case was brought by over 5,000 employees, and the breach itself involved data of 100,000 employees.

This was the first group action in the UK for data breach. With the arrival of the GDPR, we are likely to see more private claims for data breaches. The GDPR specifically includes a right to compensation for damage, irrespective of the impact whether financial or otherwise. Data breaches are likely to achieve much higher attention given the greater fines that can be imposed under the GDPR.  The level of damages may be small per individual but where the data breach involves a larger group the Court of Appeal recognised that “potentially ruinous amounts” could be involved.

The issue is significant in Scotland given the upcoming introduction of a new group action mechanism. This is intended to offer a more streamlined method for bringing a group of similar claims. It comes as part of a package of measures designed to make it easier and more cost-effective to bring claims for compensation in Scotland. These changes are likely to have a significant impact on consumer actions, and we predict an upturn in both the threat of litigation and the number of claims which are raised. GDPR data breach claims may be an obvious example. 

Whilst the outline of the new group claims procedure has been approved, it is not yet in force, and needs to be developed to bridge a number of significant gaps both of principle and mechanics. We are keen to see a consultation on these aspects to ensure that the procedure is effective in practice and has the support of all stakeholders. We expect progress during 2019. 

Businesses who have operations or customers in Scotland, including in sectors which are susceptible to consumer claims (for instance, pharmaceuticals, financial services, automotive, consumer products and energy suppliers), should be particularly alive to these changes. 

By Joanna Fulton


Click here to set up your preferences so we can send you the insight you need to stay precisely informed.

Burness admin