How Will Morrisons’ Failed Data Breach Appeal Impact Other UK Organisations?
The High Court has ruled that Morrisons was legally responsible for the data leak caused by former employee Andrew Skelton, who published payroll data of almost 100,000 staff in 2014.
Morrisons faces a multimillion-pound payout after losing an appeal against a ruling that opened the floodgates to compensation claims from thousands of the supermarket’s employees who had their personal information published online.
The ruling has set a significant precedent for data privacy, but also for businesses that may also suffer at the hands of rogue employees. But exactly how will the case affect the way businesses protect data in the future?
Lesley Holmes, data protection officer at MHR
“This case highlights the levels of technical and organisational controls that need to be in place even in the most trusted parts of your business to ensure that personal data is not stolen or otherwise misused. The original decision looked at the relationship between the company and Andrew Skelton, who leaked the data, and traced a golden thread of accountability throughout the collection, use and disclosure of the data for both parties.”
Ewen O’Brien, EMEA director at BitSight Technologies
“There are crucial cyber risk management steps that retailers like Morrisons can take to mitigate cyber risk. These include examining the cyber incidents that could have a major economic impact on your organisation; running a security incident exercise; and making sure that the board of directors is brought up to speed on the effectiveness of cybersecurity programmes. To mitigate cyber risk on day-to-day basis, they must constantly monitor their diligence at implementing security best practices, and user behaviour”.
Andy Richmond, UK VP at Varonis
“CEOs and board members should take note of the High Court decision – that the actions of one rogue employee can very well lead to group litigation down the road. The ruling sets a precedent that victims of breaches will have their day in court and the responsible parties will indeed be held accountable. With the GDPR now in place, expect these penalties and lawsuits to become increasingly common and costly.”
Bill Evans, senior director at One Identity
“The recent ruling against Morrisons could pave a new way for enterprising threat actors to extort money from corporations. From this point forward, every business in the UK must redouble its efforts to protect employee and customer data as the cost and frequency of ransomware attacks is likely to increase significantly. In part, this is because the risks and costs associated with the loss of employee data have increased as employees can claim compensation for the distress of being impacted by a breach. No longer must they prove negative financial impact; simply the act of having their information compromised is enough to incur loss to the company.
Businesses would be best served to ensure the four bases of cybersecurity are in place and in operation to minimise these costs. These include privileged access management to protect the most powerful accounts, multifactor authentication for, at the very least, privileged accounts, governance to ensure only the right people have the right access, and end-user education so all employees know the risks and costs associated with a cybersecurity breach.”
Simon Sharp, VP International at insider threat management specialist, ObserveIT
“Andrew Skelton was the real bad guy when this breach occurred back in 2014 and he’s already serving an eight-year sentence for his crimes. However, the Courts clearly don’t believe that Morrison’s is devoid of all responsibility. Like any business holding sensitive data, it has an obligation to do what it can to adequately protect sensitive information – in this instance, some 100,000 employee records.
“To avoid being hit with expensive and damaging compensation claims like the one Morrison’s is now facing, businesses need to take effective steps to identify and thwart insider threats before they become a problem. The introduction of easy-to-follow policies coupled with effective monitoring technologies have the ability to stop rogue employees in their tracks. This kind of approach is particularly important when staff have access to high-value information, such as payroll details.”
Tim Sadler, CEO and co-founder at Tessian
“This data breach highlights the financial and reputational damage that a single employee’s misconduct can have on an organisation. Despite such detrimental ramifications, many companies lack the necessary transparency over how sensitive data is managed and processed.
This can be a difficult task. The opportunity to profit from stolen proprietary data means that an employee may endeavour to extract it. As long as this temptation and the opportunity to pursue it remains, so too does the threat of data theft. Moreover, organisations, especially those with hundreds or thousands of employees, may find it difficult to monitor the activity of every individual. Companies like Morrisons that possess large swathes of both staff and customer data, have a duty to prevent this kind of data breach from happening. If they cannot monitor or control employee behaviour, they must take the necessary steps to find and invest in a technology solution to prevent data loss from exfiltration.”
Alan Calder, CEO of Vigilant Software
“In this specific case, ISO 27001 is unlikely to have saved Morrison’s – the judge determined that they had taken appropriate steps to protect this data. It’s only now, in the light of the judgement, that you realise you have to take even more extreme steps to ensure absolute confidence in data protection.
“The only conclusion that I can draw from this is that the single most practical mechanism by which personal data should move between systems is entirely on a system-to-system basis. Any process that allows the download and re-upload of personal data, however appropriately protected, is still going to open up the possibility of vicarious liability – and this is simply a risk that no organisation should want to take.”
Oz Alashe, CEO at CybSafe
“It is hard to see what Morrisons could have realistically done to prevent this situation from arising. Nevertheless, the message from today’s ruling is clear: even when a company is the victim of criminal activity from within its own organisation, ultimate responsibility for keeping personal data secure rests on its shoulders.
“This failed appeal serves as a serious warning for business leaders across the country. Organisations now have a far greater duty of care to protect users and prevent the unlawful activities of disgruntled staff. They must be far more careful about what information staff have access to across every part of the business. For very large organisations in particular, this ruling drastically complicates their requirements to guard against the risk of data security breaches.”
Christopher Littlejohns, EMEA manager at Synopsys
“On the face of it, Morrisons loss in court was in relation to a typical disgruntled employee with an axe to grind issue. However, there was some significant variance in this case. Firstly, the employee was employed by the firms auditors, KPMG, and was therefore not a direct employee. This was why Morrisons were found ‘vicariously liable’ as opposed to ‘primarily liable’, in that they approved the said individual from KPMG to act on behalf of Morrisons during the transfer and use of highly sensitive personal data.
“Secondly, the processes that Morrisons and KPMG followed for the storage and transfer of the data was not really found at fault. They used encryption on USB devices on both sides for example. However, there was a window of opportunity for the KPMG employee to retain unencrypted data on his own laptop. This is where the weakness lay, and he was able to exploit this weakness for his own means by retaining an unencrypted copy which he subsequently transferred to his personal PC.
“The lessons to be learned here are twofold. Firstly, you may be found liable as an employer for third parties behaviour to which you grant responsibility for processing sensitive data, therefore you should ensure your supplier has adequate checks and balances of the suitability of such people to act on your behalf. This should include revealing information that is pertinent to any potential changes in that suitability. In this particular case, that appeared to be the case, as the KPMG employee received a disciplinary procedure in relation to his work with Morrisons, hence the grievance he had and his subsequent actions.
“Secondly, although the costs may be disproportionate to the perceived risk, additional procedure and oversight could have prevented the opportunity for the retention of a copy of the data. E.g. a second pair of eyes on the transfer process.”