In December last year, we reported on a landmark case in the High Court which considered whether Morrisons could be held liable for the actions of a former disgruntled employee. The High Court concluded that they could. Having appealed the High Court’s decision, this week the Court of Appeal decided that the supermarket chain is liable for the massive data breach as an employer.
I’ve set out in brief how this may affect your business and what you can do.
The breach was caused by a disgruntled employee of Morrisons’ IT team who had intentionally set out to to cause harm to the company by publishing the personal data of nearly 100,000 employees. This data included names, addresses, salary, national insurance and bank account details that were supposed to be used for the purpose of an audit.
As would be expected, the employee was convicted in the criminal courts for his misuse of the data.
5,500 of those employees then brought a civil class action against Morrisons claiming that the supermarket was responsible for the actions of its former employee and should pay damages.
Despite the finding that Morrisons had appropriate measures in place to prevent the breach, the supermarket was nevertheless held by the Court of Appeal to be vicariously liable for their employees’ actions.
It is the first time that an employer has been found liable in a case of this type. Damages are likely to be relatively low per employee, but the overall sum could be very significant as any award will effectively be multiplied by over 5,000. Subject to a likely appeal to the Supreme Court, the supermarket also faces the prospect of claims from the remaining 95,000 employees.
Keeping in mind that the ICO concluded that Morrisons did little or nothing wrong such that enforcement action was unwarranted, the High Court vindicated Morrisons’ actions and the former employee has been convicted of a criminal offence, this raises serious questions for business. Does this decision mark the beginning of class action litigation against companies for data breaches arising from insider threats?
How can businesses limit their risk?
Although Morrisons was not reprimanded for failing to implement ‘appropriate’ security measures, it nevertheless slipped up by allowing a single employee (who was not especially senior) to have largely unmonitored access to their main database – creating a point of weakness in data security. If more rigorous checks and balances were in place – for example through the use of data loss prevention (DLP) tools – they might have been able to avoid this situation.
Businesses should review their existing policies and processes to try and identify areas where they are exposed to risk. It may well be appropriate to improve management oversight or provide training to employees who are handling data in these areas.
Limit the damage
Breaches can be costly due to newly increased fines under the GDPR, but this is often outweighed by reputational damage.
Swift and thorough reporting to the Information Commissioner’s Office and a coherent communication strategy can help limit this.
The Court of Appeal recognised the regularity with which data breaches were making the headlines and suggested that insider threats such as the one experienced by Morrisons were exactly the type of enterprise risk that should be insured against.
Given the increasing frequency of such breaches and increasing reliance on data, I consider that suitable cover will be (and arguably should already be) regarded as a business essential for those handling large amounts of data. That being said, comprehensive insurance against data protection risks in this new threat landscape can be very expensive and often not provide cover against administrative fines that could be levied by the ICO.