Morrisons Found Liable for Data Breach
- Date: Tuesday 30th October 2018
- PDF: Download
We have referred to the Morrisons data breach case in previous e-bulletins and now we can confirm that the Court of Appeal has upheld the earlier ruling that the company is liable for the breach, caused by a disgruntled employee, which resulted in the highly sensitive personal data of nearly 100,000 employees being posted online.
The data breach where salary, bank details and National Insurance details were posted online shows that employers are vicariously liable for acts conducted by an employee during the course of their employment. The employee was given an encrypted memory (USB) stick containing the data by a member of the HR team to do an audit. He copied the data to a personal memory stick and then posted the data to a file sharing website and sent the data to newspapers.
Morrisons have been held responsible and will have to make compensation payments to workers who have suffered loss or damage resulting from the action of one employee.
An organisation can be held liable (and responsible) even though it did not authorise an employee to carry out an act. An organisation can be liable for any wrongdoing if an employee is found to be acting in the course of his or her employment. Consequently, even if an individual’s intention is to harm their employer, the employer can still face liability as a result.
How to reduce the risks?
- Have a data protection policy to outline acceptable employee behaviour
- Inform employees what processes and procedures are in place within the business to protect personal data, such as internal monitoring of email and internet activity
- Set out acceptable and unacceptable behaviour (e.g. prohibit downloading or sending of data to personal devices or email accounts)
- Monitor employee activity in line with this policy (and any internet and email policy, to detect where there is a risk of a data breach). This includes monitoring e-mails with a high quantity of data attached
- Consider the roles in your company and where the greatest risks exist. Consider preventing access to USB ports on PCs used for the processing of sensitive data
- Be proactive to prevent a data breach occurring and avoid the risk of being found liable for such a breach
Source: Gavin Parrott, SSG