Lessons from the Morrisons data breach ruling

Supermarket chain Morrisons is facing a multi-million-pound compensation claim after losing its appeal against last year's High Court ruling that it was 'vicariously liable' for a data breach where thousands of employees' details were posted online. The case has split opinion but does it have deeper implications for IT security?

In 2015, Andrew Skelton, an internal auditor at Morrisons, was handed an eight-year sentence for posting the personal details of almost 100,000 of his colleagues online.

It was a calculated, criminal act that was designed to damage the supermarket chain and one that reportedly cost £2m to rectify. Last year, over 5,000 affected employees brought a claim against Morrisons to seek compensation, saying the breach caused great distress, given that the information included bank account details, national insurance numbers and salaries.

In its ruling, the High Court judged that Morrisons was not directly to blame for Skelton's actions but that it was 'vicariously liable', which led the company to launch a legal challenge. But on 23rd October this year, the Court of Appeal upheld the ruling and Morrisons is now set to take its case to the Supreme Court.

Two sides of the story

The outcome of the next instalment in this fascinating case will be watched with keen interest by companies across the UK. Whether you agree that Morrisons is an innocent party wronged by the criminal actions of a rogue employee or whether you think it should foot the bill for compensation - either way, the ramifications of the case are significant as a marker for corporate responsibility in relation to breaches of data security.

At its heart, this case speaks to the central conundrum of managing data within a business: on the one hand, it must be kept safe but on the other hand, for the business to benefit from that data, it has to be made available for use. Here, it was acknowledged that Morrisons' IT policies and processes were not at fault – and it is difficult to see what the company could have done differently – but it was deemed 'vicariously liable' because Skelton's actions were sufficiently closely connected with his role at the company.

This highlights the need for systems architects and administrators to walk a complex tightrope when it comes to data security, evening out the competing motivations of protection and practicality, and avoiding sacrificing one objective by tipping the balance too far in favour of the other. For example, you could guarantee absolute security by locking down your data on disks encased in the encryption equivalent of concrete but that level of impenetrability doesn't make it awfully workable at a practical level.

Getting the balance right

Achieving this balance is a universal challenge faced by SMEs and corporates alike. Not only does it require an appreciation of the technology and systems needed to underpin data-handling but it also relies on staff having an appreciation of the wider principles of data protection and an understanding of the specific processes defining how data is used within their business.

Having clear policies in place outlining the rules for managing and handling different types of data is essential. Payroll, as in the Morrison's case, is an area that undoubtedly carries a degree of sensitivity, for example. In instances of data sharing or granting data access to other stakeholders - whether across the business or external third parties - those processes and policies guide decision-making and influence how access is granted.

Striking the right balance between protection and practicality is crucial because risk is something that can never be eradicated completely. Even with the toughest of systems, the people managing them remain a comparatively soft target because of their human frailties. Employees are entrusted by employers to fulfil their duties in a responsible, appropriate way and that trust can inevitably leave a degree of room for mistakes and also open the potential for bad decisions.

Some industries are more acutely aware of the need to protect themselves against threats from their own people than others. An example is recruitment (an industry in which we have a great deal of experience), where so much is dependent on personal relationships and there is a fear that all it takes is for a consultant to export the valuable data from the client list and they are almost immediately established in competition.

Of course, there are security measures that can be taken to safeguard against this risk, but the more security measures in place, the more the trust in the dynamic between employer and employee can get eroded. Ultimately, it's incredibly difficult to fully prevent someone intent on doing something like taking a surreptitious photo of potentially sensitive information on their screen. Actions such as this might not be sophisticated but they can still be effective and they still represent a breach.

Putting the right measures in place

More than anything, the Morrisons case underlines the requirement to stay abreast of best practice in systems and data security and putting the maximum reasonable measures in place to safeguard against breaches. These are decisions that need to trickle down from the top, whether the IT Director in larger organisations or owners of SME businesses who have responsibility for IT. It is about perception of the risk and then mitigating and insuring against it. Getting that right takes time, effort, knowledge and experience. An understanding of the Computer Misuse Act and the principles of good information handling outlined in the Data Protection Act 2018 provide a sound starting point.

For employers, this case also underlines the potential of joining the dots between IT and other areas of the business to help inform risk. In cases where HR is aware of the heightened potential for an employee to act on a grudge against the company, for example, there is arguably a case for reflecting that in the employee's access rights or considering whether any unusual behaviour identified through the use of IT systems represents a cause for concern.

Clearly, employers must also take care to consider the privacy and data rights of employees. The introduction of the General Data Protection Regulation (GDPR) in May and the Cambridge Analytica data scandal have amplified awareness and concern around data privacy among the general public, taking the issue out of the IT department and into our everyday lives. As such, concerns over data misuse are moving beyond financial issues related to fraud and into much broader territory. Indeed, Morrisons says it is unaware of anybody suffering any financial loss as a result of its breach and the compensation claims are .

The Supreme Court is likely to have a significant role to play in deciding whether or not those claimants will be successful and, while Morrisons will be first in line to hear what the judges have to say, companies all across the UK could be impacted by their decision.

Whichever way the judgement falls, consideration of data protection and IT security is only likely to be heightened, with companies likely to face more questions around their processes and policies. If you would like support or advice on how to find some of the answers, get in touch with one of our consultants today.

---