Morrisons have lost appeal against liability for data loss
The supermarket chain Morrisons, has lost its appeal over the UK’s first data-leak class action, in a decision that makes employers liable even where they have taken reasonable preventative steps and bear no criminal responsibility.
In 2014, Andrew Skelton, a disgruntled senior internal auditor posted payroll information online, including employees’ names, dates of birth, NI numbers, addresses, telephone numbers and bank account details. Critically, Morrisons was found not to have been lax in the way it protected its data and Skelton has since been jailed for his actions. In a statement, Morrisons noted it had worked hard to remove the leak quickly, and had provided support and protection to its employees. It says it is not aware that anyone has suffered financial damage as a result of the leak.
A group of Morrisons employees, however, demanded compensation for the stress and upset caused by the leak, a right that was established in 2015 by a landmark case Vidal-Hall v Google. Now, both the High Court and the Court of Appeal have found that Morrisons is “vicariously liable”. Vicarious liability being the principle of holding one person or entity responsible for the actions of another. It is more commonly applied in cases of libel or harassment. This is thought to be the first time in the UK that a company has been found vicariously liable for the misuse of data.
The finding came after Morrisons was found not to be primarily liable, as it was not deemed to be the data controller (Skelton was) at the time of the breach, and the method used to transfer the data to KPMG (which involved checks, encryption and authorisation) was said to be sensible and necessary (meaning that it was compliant with its legal duties). Neither was there any indication from Skelton’s past behaviour to suggest he was a security threat.
Morrisons’ lawyers unsuccessfully argued that the firm could not be held vicariously liable because the 1998 Data Protection Act (the legal regime that applied at the time) excludes vicarious liability (see below). Morrisons was permitted to appeal because the High Court judge acknowledged that in awarding compensation against Morrisons it could be argued the High Court had become an accessory to Skelton’s criminal act of trying to damage Morrisons’ business.
The compensation has yet to be set, as the case is now proceeding to the Supreme Court, but the judges acknowledged that such cases could involve “potentially ruinous amounts”, urging businesses to insure against such events. This incident has already cost Morrisons around £2 million to contain and resolve the breach, plus its legal costs.
Industry reactions and perspectives
Kevin Bailey, GTM Director at Gospel Technology, believes that enterprises should be responsible for their employees’ actions but notes that: “The judges’ statement that insurance is the solution was another bad example of addressing the action not the cause. This shows why data protection, sharing and usage needs to be controlled at the data layer. This is the only way to ensure data is protected from both internal and external threats while ensuring accessibility by trusted employees.”
Tim Sadler, CEO and co-founder of Tessian cautions that large enterprises often lack the necessary transparency over how sensitive data is managed and processed. “Organisations with hundreds or thousands of employees may find it difficult to monitor the activity of every individual,” he says. “Companies such as Morrisons that possess large swathes of both staff and customer data have a duty to prevent this kind of data breach from happening. If they cannot monitor or control employee behaviour, they must take the necessary steps to find and invest in a technology solution to prevent data loss from exfiltration.”
“If the Supreme Court finds in favour of the class action, it also opens up enterprises to extortion, warns Bill Evans, senior director at One Identity. “The ruling could pave a new way for enterprising threat actors to extort money from corporations. From this point forward, every business in the UK must redouble its efforts to protect employee and customer data as the cost and frequency of ransomware attacks is likely to increase significantly. In part, this is because the risks and costs associated with the loss of employee data have increased, as employees can now claim compensation for the distress of being impacted by a breach. No longer must they prove negative financial impact; simply the act of having their information compromised is enough to incur loss to the company.”
Will GDPR change liability and offer more protection?
The events of the Morrisons case occurred while the 1998 Data Protection Act was in force. The Act contained a clause – Article 13(3) – that was long thought to provide protection to enterprises against vicarious liability. It states:
“In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned”
The protection of taking reasonable care, provided in this clause, was found by the High Court not to be a defence. It is replaced in GDPR with Article 82(3):
“A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.”
Given that Morrisons were found to be vicariously liable, rather than primarily liable, this clause appears on face value to offer no more protection for compliant enterprises than Article 13(3).
The risk of data proliferation
Morrisons intends to appeal the decision in the Supreme Court, but if this decision stands then it has far-reaching consequences for enterprises.
The role that Skelton had – as a senior auditor – meant he had authorised access to data to carry out a legitimate task. This data is normally highly restricted by Morrisons and kept within Peoplesoft. However, in November 2013, Morrisons were asked to supply this data by its external auditors, KPMG. The payroll data was therefore extracted from Peoplesoft by one of the few employees with authorised access, and an attempt was made to email the data directly to KPMG (which failed). The information was therefore saved to an encrypted USB stick. Skelton copied the data together with other information onto an encrypted USB stick provided by the external auditors and passed it to them, but crucially he retained a copy of the data on his laptop. There seems to have been no checks in place to ensure this data was deleted after the completion of the audit, because the data had moved outside the secure and restricted environment of the Peoplesoft system.
This process demonstrates the risk derived from extracting data out of a secure system in order for third parties (KPMG) to use it for a legitimate task. It emphasises the importance of not just limiting access to data by role but also by time, as well as the specific risks of data proliferation – losing control of data once it has been shared for a legitimate task.
Morrisons has not been found to be lax in its approach to information security by today’s standards, which means that higher standards of information security are going to be required by UK enterprises to protect against the legal risks introduced by the case.
Whatever the ultimate outcome, a breach of this type causes huge reputational and trading damage to a firm, in addition to enormous legal costs. It undermines confidence in an enterprise, because it raises the question: how can customers trust their data to an enterprise (for example, in order to transact online) if it’s been proven the company cannot keep its own employees’ data safe and secure?
Although insurance is being promoted as a solution, as Gospel Technology’s Bailey notes, this is treating the symptom not the cause. Insurers will, in any case, only insure companies that they believe have taken all reasonable steps to avoid a breach – meaning that the cost of improved security could partly be offset against the cost of insurance premiums.
What this means for B2B service providers
In addition to highlighting risks to their own businesses, this case represents an interesting opportunity for B2B service providers. As the enterprise fragments – with more homeworkers, contract workers and mobile workers – and there is increased inter-enterprise collaboration, the problem of both enabling employees (and third parties) to access data they need in the legitimate course of their work, while also ensuring that data remains secure, is set to become an ever-more thorny problem. As increasing numbers of workers require access to corporate data remotely or for time-limited periods, helping enterprises manage such a challenge could be a very lucrative business for those that can get it right.