It’s every business’s worse nightmare, an employee with access to vast amounts of sensitive data sharing this and damaging to you and your brand.
“It will never happen to me….” is what we all like to think. Unfortunately for Morrisons Supermarket this wasn’t the case. The High Court recently ruled that the retailer was responsible and financially liable for an intentional data breach from a former employee containing Payroll Data from 2014.
A disgruntled employee was provided access to vast amounts of personal data relating to 99,998 employees. The employee had clear instructions to deliver the information to external auditors for processing via a USB stick, however, in transit this information appeared to be shared via a File Sharing website and later used in several fraud cases.
A claim was brought by 5,518 employees whose data had been lost in the breach as employees believed that Morrisons were directly liable for breach of statutory duty under DPA and liable for the actions of its employee.
Although the individual was prosecuted under the current Data Protection Act 1998 (DPA) for a staggering eight years in prison, Morrisons have subsequently been found ‘vicariously’ liable for the actions of the previous employee.
The court did rule that Morrison was not directly liable for the breach and that Morrisons were not liable under common law as the criminal act of stealing and sharing the data was not attributable to Morrisons.
In turn, the court needed to decide if Morrisons was vicariously liable for the actions of the disgruntled employee, this ultimately is decided if the actions were connected to his role at Morrisons.
The court found Morrisons vicariously liable as, although the act of sharing the file took place outside of work hours and premises there was a “unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”. The employee was entrusted with the data by Morrisons and what he had done was closely related to the task.
Finally, Morrisons argued that the intent of the employee was to damage Morrisons and that if the court found Morrisons to be vicariously liable the court would be aiding this criminal intention of the disgruntled employee.
Security of Data in a business is critical. Incidents of breaches are growing in number and complexity with the risk to every business being high. With this issue growing and becoming more high profile the upcoming launch of GDPR will likely see a significant rise in publicised breaches as reporting becomes mandatory.
This case raises several questions regarding how all businesses handle data security, especially with in trusting key members of any business with sensitive data and very low levels of data protection or scrutiny.
If you need a bit of help, look no further than Liquid Friday. Our certified GDPR practitioners have 10 years’ experience of working with the recruitment industry and are now working with agencies to review their data collection and handling procedures and manage their risk under GDPR.