Promising to “show who we are” in a recently unveiled marketing campaign, supermarket chain Morrison’s may well have been overexposed with a data leak of around 100,000 staff members’ personal details at the hand of a disgruntled employee. With the legal decision holding Morrison’s responsible, the verdict will be felt far and wide by any organisation suffering a data breach caused by a disgruntled employee.
In October, the Court of Appeal upheld an earlier decision in the case, the UK’s first-ever data-leak class action, brought against Morrison’s after workers’ salaries, bank account details, National Insurance numbers, dates of birth, addresses and telephone numbers were published.
The judgment has reverberated around the country’s legal and business sectors. “It’s important to bear in mind when thinking about the judgment that the employee’s primary motive was to harm the company,” says Steven Hadwin, Head of Operations in law firm Norton Rose Fulbright’s Data Protection, Privacy and Cybersecurity practice. “The thousands of employees whose personal data he leaked were essentially collateral damage. But, the Court of Appeal upheld the original court’s decision that the company should be held vicariously liable for his actions – which in a sense helps the employee to achieve his aims .”
Customers or staff could sue any organisation if a rogue employee was to leak their sensitive information.
The judges found that although Morrison’s had complied with its data-protection obligations it didn’t do enough to prevent its former employee, Andrew Skelton, from stealing and posting online the staff payroll information which he had access to through his job as a senior internal auditor at the company’s HQ.
“The judgment is surprising,” says Matt Webb, Cyber Line Underwriter for Hiscox London Market. “Morrisons is a victim in this case too, but the court has found that it is vicariously liable for employees’ actions even if though it had taken preventative steps and bore no criminal responsibility.”
The ruling paves the way for former and current staff to seek compensation from Morrison’s for their data being posted online, which could cost the company millions of pounds. It also means that customers or staff could sue any organisation if a rogue employee was to leak their sensitive information. “It could create an incentive for other disgruntled employees to do the same,” says Hadwin.
A question of trust
The ruling puts the emphasis now firmly on companies to work harder to prevent disgruntled workers from being able to cause damage.
“Organisations must walk a fine line between trusting their employees too much or too little,” says Laurance Dine, Managing Principal of technology and communications firm Verizon’s Investigative Response team. Give them too little and they won’t be able to do their jobs properly. Give them too much and they might abuse it and damage your company.
Around two in every ten data breaches Dine’s company investigates are the work of rogue employees, “but these people can often do the most harm because they know the way in which their company works,” he says.
Companies should ensure that access to their most sensitive data is restricted to those workers that need it as part of their everyday jobs, and regularly check whether those with access have changed jobs or moved on.
A problem is that all too often, organisations allow their employees far more access to information than they need. “Some have completely open-plan networks, in which almost every staff member from the receptionist up has access to some sensitive data. That’s dangerous, because it not only makes companies vulnerable to a malicious employee but also to hackers that may steal an innocent staff member’s login credentials,” says Dine.
Companies should ensure that access to their most sensitive data is restricted to those workers that need it as part of their everyday jobs, and regularly check whether those with access have changed jobs or moved on, says Dine.
Although the ruling makes organisations liable for employees who steal confidential information they are authorised to see, companies can install systems to monitor who has clicked on that data and block or log if that data is downloaded from their servers. The Morrison’s data leak resulted from information being illicitly downloaded onto a personal USB stick and posted online from a home computer. ”It’s possible to specify that sensitive data can only be transferred onto particular approved external hard drives, making it impossible to steal that information by putting it onto an unauthorised device,” says Dine.
It’s also worth making sure that workers with an axe to grind can’t access a company’s most sensitive information. Skelton was motivated by revenge after he was disciplined by Morrison’s for running an online business through the company HQ’s post room. “You don’t want to be looking over your employees’ shoulders all the time, but it’s important to protect your organisation by putting stricter controls or closer monitoring around those who feel angry with it,” says Dine.
“We often still see situations where employees who are clearly disgruntled are allowed to operate without any restrictions, even though they have keys to the kingdom.”
Open to a revenge attack
But, even companies that take steps to protect against malicious leaks are vulnerable to a worker who is willing to stop at nothing to wreak revenge. “It is almost impossible for companies to protect against someone who is absolutely determined to leak sensitive data. Let’s not forget the person responsible for Morrison’s data breach is now in prison [Skelton was in 2015 sentenced to eight years in jail]. Even the risk of prosecution didn’t deter him,” says Hadwin.
The Court of Appeal judges acknowledged their decision could lead to claims against companies for “potentially ruinous amounts” following data breaches. But, in their judgment they argued: “The solution is to insure against such catastrophes, and employers can likewise insure against losses caused by dishonest or malicious employees.”
The sheer scale of the risk might put off some underwriters, however, Hadwin says. “I’m unsure whether insurers would be comfortable underwriting the risk of potentially huge payouts for data breaches caused by employees who were motivated by grudges.”
It’s possible to specify that sensitive data can only be transferred onto particular approved external hard drives, making it impossible to steal that information by putting it onto an unauthorised device.
The legal system is having to catch up with developments in technology and how data is now handled, says Webb. Underwriters constantly monitor new laws, regulations and court decisions. Cyber insurance policies are designed to protect the companies that purchase them and so cover extends to losses caused by rogue employees.”
Hadwin believes the case will go to the Supreme Court, even though the Court of Appeal denied permission for Morrison’s to appeal its judgment, as the company has vowed to fight on and the judgment raises some troubling legal issues. “I’m unsure if the decision as it stands furthers the cause of justice. It will be interesting to see how the Supreme Court approaches the reasoning of the existing judgments and whether it might look to public policy grounds so as to avoid furthering the ends of a wrongdoer by making an employer liable for his actions.”
But, even if Morrison’s does succeed in having the case heard by the country’s highest court then it is unlikely to be resolved before spring 2019. For now, companies should take extra measures to protect their most sensitive information from angry and discontented workers.
“It’s important that they restrict access to their important data so only those employees that need to see it can do so. They also need to control workers’ ability to exfiltrate data and make sure they monitor unusual activity, such as downloading large files or viewing data that is not normally accessed,” concludes Webb.