The recent Court of Appeals ruling regarding Morrisons’ data breach has alarmed many in the business community and not without good cause. The question being posed throughout industry is whether an organisation can be held liable for the criminal actions of an employee. This raises a multitude of questions for industry which will evolve as the depth analysis of the case continues. Morrisons, despite not being aware of the actions of its rogue employee, was still be found to be partially guilty. According to the ruling, Andrew Skelton, a disgruntled employee, intercepted a collection of personal employee data from a USB stick, posted it online, and also emailed it to several newspapers. Although Skelton, jailed in 2015, bore the brunt of the responsibility for the leak, Justice Bean and Justice Flaux found Morrisons “vicariously liable” under the 1998 Data Protection Act (DPA) for a data breach of 99,998 of its employees’ Personally Identifiable Information (PII).
Court transcripts state that KPMG requested, among other data sets, payroll data to undertake an audit. Morrisons provided this to them via a USB stick, which Skelton had legitimate access to, and proceeded to download this onto his laptop. Skelton then downloaded this information onto his own personal USB stick and subsequently posted this on the internet and also sent CDs of this information to newspapers. This information “consisted of the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and the salary which the employee in question was being paid”.
Morrisons could, of course, be liable for the loss of these 99,998 employees’ data – and Morrisons’ lawyers argued that payouts for large-scale breaches could potentially ruin companies financially. However, the judges noted that, since data breach insurance is available, this cannot be used as an argument against liability, and that the insurance status of a company is irrelevant as to whether they are liable to compensate their employees.This ruling emphasises that employees have the right to PII protection, which could change the way companies handle their employees’ data.
But there needs to be a shift in the coverage provided by insurers. Current cybersecurity insurance products are, in the main, designed for data breaches relating to customers – not employees. Also noteworthy is that these insurance companies recognise that the negative public relations of a data breach can impact on business reputation; one such insurance policy even covers the expense of a “goodwill coupon” campaign in which the company would offer some kind of discount or rebate to placate customers whose data has been breached.
The judges in the Morrisons’ data breach ruling also noted that “…there was no organised system for the deletion of data such as the payroll data”. According to the judges, this deletion and the protection of this data were “organisational measures which would have been neither too difficult nor too onerous to implement.” This ruling was made under the 1998 Data Protection Act. The new GDPR legislation, which came into force in May 2018, requires organisations to declare breaches to their regulator within 72 hours of them becoming aware of the breach. Because of the large number of breaches now having to be reported to comply with the GDPR laws, more and more companies will be buying insurance to cover the amount of money they would need to pay to the victims of the breach.
There is also a potentially greater issue to be considered which is far more difficult to ensure against – that of loss of reputation. Should there be absolutely no system in place or one that is lacking, customers will see the company’s leadership, and by extension, the company itself, as incompetent. This negative perception could have much longer-lasting consequences for the company than the initial breach itself. In the case against Skelton, the judges also noted that Skelton deliberately timed the leak to coincide with the announcement of Morrisons’ annual financial reports. According to the court, “The revelation of the data leak had serious implications for the share value of Morrisons”. According to Computer Weekly, a cyber attack leads to a loss of 1.8% of share value on average.
Aside from this, the permanent potential effects of one such act as that perpetrated by Skelton cannot be underestimated. Due to the nature of the internet, the information he leaked could exist forever on the internet, affecting the lives of those affected indefinitely. Insurance is an important aspect of corporate survival to avoid financial ruin after a data breach but, by nature, it does not stop these potential cyber dangers from threatening an organisation in the first place. And once data is breached, it cannot be reversed.
We need to be realistic here. There are no silver bullets. If a rogue employee is intent on egressing enterprise data for malicious purposes they will find a way without a doubt. All industry can do is to put as many hurdles in the way of such acts as is reasonably possible. In the event, the biggest problem for Morrisons’ is that there are tools available that may have mitigated the risk to some extent.
There are, of course, naysayers who posit that there is no way to exist in cyberspace without any risk of a data breach. In many ways, this awful betrayal could have happened to any company. However, Morrisons did not have the appropriate preventative tools to properly act swiftly and effectively to stop Skelton’s actions. Under the new GDPR legislation, they would have suffered fines of up to 4% of their annual turnover because there are solutions available to block the actions of a rogue employee. Although the naysayers are correct in the sense that nothing is wholly foolproof, there are software solutions available which would make it sufficiently difficult to block the sensitive information of nearly 100,000 employees from being globally divulged.
With solutions such as GeoLang’s Ascema Data Discovery tool, Morrisons would have been able to detect that Skelton continued to harbour the offending information on his laptop and forced him to remediate this information which he no longer had legitimate need for. If Morrisons deployed and used data discovery and data loss prevention technology, then not only could they have known and recorded that Skelton was holding the PII of even one single employee – and protected that data in real time – but would have then blocked Skelton’s attempt to download the information to his personal USB stick whilst also alerting Morrisons about the attempt to do so.
If organisations do not know where sensitive data is stored, then it becomes significantly more difficult for them to block the actions of rogue employees. Morrisons may still have been found “vicariously liable” even if they had deployed technology solutions as part of their insurance policy, but certainly, penalties for any future data breaches under GDPR would likely be lessened. Morrisons are appealing the court’s decision and industry awaits the outcome with baited breath. Enterprises need to have processes, technologies and insurance in place if they are going to survive the industrial age of the data breach. Understanding that insider threat is the most prevalent cause of data breach is the first step in dealing with error-prone and malicious employees, as well as understanding that the malicious insider is relatively rare.
This ruling may stand, or it could be appealed and overturned. However, whatever happens, it has highlighted the need for organisations to put in place systems to prevent data leakage and how data negligence could incur severe costs. There is an old curse – “may you live in interesting times” – and it seems that Morrisons is indeed experiencing just that.
Please note that all court quotes were accessed from:
https://globaldatareview.com/digital_assets/2fbea3f8-968b-4fb9-b3ad-4ec60e5890ed/Morrisons-Court-of-Appeal-judgment.pdf (accessed 25/10/2018)