Find a Barrister

Find an Arbitrator

Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages
people

Contact

Contact with chambers should be made through the Practice Management Team. They are happy to discuss client requirements and provide further information on such matters as the expertise and experience of individual members, fees, working practices and languages spoken. We have members able to work in French, German, Italian, Spanish, Dutch, Swedish, Greek and Chinese (Mandarin).

Outside working hours, a member of our team is always available to be contacted on matters of an urgent nature. Contact should be made using the Chambers main number or email.

To contact our Singapore office, please contact our BD Director, Asia, Rachel Foxton. Out of office hours calls will automatically be diverted to our clerking team in London.

London

20 Essex Street
London
WC2R 3AL

enquiries@twentyessex.com
t: +44 20 7842 1200
DX 0009 Lond/Chan Lane

Singapore

28 Maxwell Road
#02-03
Maxwell Chambers Suites
Singapore 069120

singapore@twentyessex.com
t: +65 62257230

Contact

Contact with chambers should be made through the Practice Management Team. They are happy to discuss client requirements and provide further information on such matters as the expertise and experience of individual members, fees, working practices and languages spoken. We have members able to work in French, German, Italian, Spanish, Dutch, Swedish, Greek and Chinese (Mandarin).

Outside working hours, a member of our team is always available to be contacted on matters of an urgent nature. Contact should be made using the Chambers main number or email.

To contact our Singapore office, please contact our BD Director, Asia, Rachel Foxton. Out of office hours calls will automatically be diverted to our clerking team in London.

London

20 Essex Street
London
WC2R 3AL

enquiries@twentyessex.com
t: +44 20 7842 1200
DX 0009 Lond/Chan Lane

Singapore

28 Maxwell Road
#02-03
Maxwell Chambers Suites
Singapore 069120

singapore@twentyessex.com
t: +65 62257230

09/01/2019

Financial institutions beware: cybersecurity lessons from the Wm Morrisons Supermarket case

Andrew Dinsmore has published a further article on cybersecurity breaches in the Journal of International Banking and Financial Law, (2018) 11 JIBFL 693, titled ‘Financial institutions beware: cybersecurity lessons from the Wm Morrisons Supermarket case’. The article considers, in depth, the High Court and Court of Appeal judgments in Various Claimants v Wm Morrisons Supermarket Plc (First Instance: [2018] 3 W.L.R. 691; Court of Appeal: [2018] EWCA Civ 2339).

This is an interesting case for those practicing in cybersecurity failures as it concerned a disgruntled employee publishing the data of nearly 100,000 personnel working at Morrisons and a group action by a number of those employees against Morrisons for liability under the Data Protection Act 1998 (“DPA”), for breach of confidence and for misuse of private information.

The key points of interest are that Morrisons were vicariously liable for the actions of the disgruntled employee, were in breach of Sch. 1 para 7 of the DPA for failing to have ‘appropriate technical and organisational measures’ in place (although this did not cause any loss and thus there was no liability) and were liable in the torts of breach of confidence and misuse of private information, which the Court of Appeal held existed alongside the DPA. Further, at §77 of the Court of Appeal judgment, the court gave a stern warning that companies should have appropriate insurance in place if they wish to avoid ruin over such breaches.

Whilst the GDPR came into effect in May 2018, there continues to be numerous data breaches relating to events prior to its implementation (including recently the British Airways, Cathay Pacific and Marriott data breaches) such that case law on the DPA will continue to play an important role in future litigation on data breaches. In any event, it is likely that the courts will have regard to the DPA case law when construing the provisions of the GDPR such that it will remain relevant even when the DPA is not directly engaged.

Andrew is currently acting for the claimants in a group action against British Airways and against Cathay Pacific following their high-profile cybersecurity breaches last year and this article follows on from a number of other articles Andrew has published in this area including ‘The legal implications of cyber-security breaches for financial institutions‘ [2017] 11 JIBFL 676 and ‘Cybersecurity litigation: jurisdiction, applicable law and class actions‘ [2018] 8 JIBFL 505.

Read the article

 

Relevant members
Andrew Dinsmore
Share