Insider threats must be on every employer’s radar
Morrisons data breach case may run for a while yet, says Martin Sloan
At the end of 2017, the High Court issued its eagerly-awaited judgment in group litigation arising out of a data breach affecting 100,000 employees of the Morrisons supermarket chain. The judgment, for which Morrisons has been granted leave to appeal, has major implications for businesses.
In 2013, an internal auditor at Morrisons deliberately copied Morrisons’ payroll file and then posted an edited version online. The individual was subsequently identified and convicted. He had legitimate access to the file in the course of his duties, and his lengthy prison sentence (eight years) reflected the damage his actions had caused Morrisons. The individual took the actions to “punish” Morrisons following a previous disciplinary process.
Following his conviction, around 5,000 affected employees brought an action against Morrisons for distress. The claim, the first group litigation of its kind following a data breach, was brought on the basis that Morrisons was either directly liable or had vicarious liability for the acts of its employee.
Whilst the court found that Morrisons was not directly liable for the individual’s acts and could not have anticipated what happened or taken steps to prevent disclosure, the court did find that Morrisons was nevertheless vicariously liable for the actions of its employee.
On the one hand, the court said the data breach did not arise as a result of a direct breach by Morrisons of its obligations under the Data Protection Act, and that it could not have done anything to prevent disclosure. The judgment contains extensive analysis of a number of things that the claimants argue Morrisons could have done and concludes that it had not fallen short of its duties.
However, the court went on to hold Morrisons vicariously responsible to its employees for the consequences of an act deliberately committed against Morrisons by a rogue employee with the specific intent of causing Mor- risons harm. Morrisons was the innocent party and, from the court’s judgment, it seems there was very little that it could reasonably have done to prevent the breach from occurring. Even then however, the court held that Morrisons was liable to those individuals who suffered damage and distress as a result of the rogue employee’s actions.
Although employers should remain wary of external threats such as ransomware attacks, insider threats and rogue acts by disaffected employees should be on every employer’s radar.
This judgment will cause concern for many organisations, particularly with the General Data Protection Regulation (GDPR) coming into force in May.
The judgment emphasises the importance of monitoring and protecting an organisation from insider threats and rogue employees – whether through monitoring of system use, access controls or otherwise. Of course, any such steps also need to be balanced against the rules that apply to employee monitoring.
The decision also raises interesting issues for data processing contracts and the allocation of liability between data controllers and data processors for the acts of the processor’s staff.
It will be interesting to see what the outcome of Morrisons’ appeal will be. The judge himself expressed some reservations on the conclusions he had reached, so this one may have some way to run yet.
In the meantime, employers should ensure that they have appropriate IT security measures (such as access control to sensitive information) in place, staff training, policies and awareness. Organisations should also have in place robust systems to help to detect potential cybersecurity breaches occurring and procedures to ensure that they are dealt with quickly and effectively. Martin Sloan is a partner at Brodies LLP