Insider threats can be massively damaging for a company. Rogue employees can steal sensitive data about people, processes, and intellectual property and give them to whomever they please. The business ramifications of such actions can be incredibly costly.
But a case of a data breach involving an employee leaking data at a supermarket could be about to change the legal landscape around data breach liability and open up companies that suffer insider attacks to massive legal claims from their victims.
Morrisons, the insider threat, and data breach liability
In 2014, Andrew Skelton, a senior IT auditor employed at the time by UK retailer Morrisons, copied the data of 99,998 Morrisons' employees – including names, bank account details, salaries, and national insurance details – onto a USB stick, took it home, and then months later posted the data to a file-sharing site. After the leak was discovered, Skelton was jailed in 2015 for eight years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998.
However, that was not the end of it for the supermarket. More than 5,000 employees bought proceedings against Morrisons seeking compensation for the ‘upset and distress’ caused as a result of their personal data being leaked.
The supermarket argued that it wasn’t liable for the criminal misuse of its data. And despite the fact Morrisons wasn’t found liable under the Data Protection Act due to the fact it had ‘adequate and appropriate controls’ to protect its data and could not have prevented the misuse of data in this instance, the retailer was found to be liable under the concept of vicarious liability for Skelton’s actions, potentially leading the way for compensation claims from affected employees.
“The ICO found that Morrisons were in no way at fault under the data protection legislation," explains Bryony Hurst, partner in the Dispute Resolution Group at law firm Bird & Bird. “They were cleared as far as complying with their regulatory obligations concerned but they [the courts] found them liable on the grounds of vicarious liability.”
Vicarious liability means companies can be held responsible for the actions of their employees if their actions took place in the course of their employment. While this traditionally might revolve around companies being liable for cases of employees harassing other employees or customers, WM Morrisons Supermarket PLC v Various Claimants is testing whether or not Morrisons can be found liable for data breaches caused by insider threats – and therefore whether the victims of the breach are liable to compensation from the company – something that hasn’t been considered in UK law before.
“[With vicarious liability] if they have basically gone rogue in some way, as long as it's considered to still be something that's roughly with the remit of the job, then the employer can still be held liable for any loss that has been suffered,” says Hurst.
The case has been going on for several years but is about to come to a head. The original decision was issued in 2017, Morrisons original appeal against the decision was dismissed in late 2018, and the UK Supreme Court has set November as the hearing date for the case, and the ramifications for UK companies could be massive.
The Court of Appeal and the High Court have so far deemed that it is possible for an employer to be held vicariously liable for breaches under the DPA by its employees, and in the case of Morrisons, there sufficient connection between Skelton’s employment and his actions to make Morrisons vicariously liable because he was given access to the leaked data by the company as a part of his role.
Insider threats can scupper even the most GDPR compliant companies
If the Supreme Court’s rulings agree with the previous findings, companies in the UK will now be liable for the actions of their employees, even if they go out of their way to flout the most stringent data protection processes, controls, and policies.
The ruling could mean that even if a company suffers an incident and the ICO finds the company was compliant from a GDPR/Data Protection Act 2018 standpoint, deems the company to have adequate controls in place around protecting its data, and doesn’t issue a fine, the company in question could still face personal claims or class action lawsuits – known as group litigation in the UK – from those affected by a breach.
“I think the reason that has caused shockwaves, especially for large corporates who probably think they're doing really well under GDPR compliance, is you can tick every GDPR box under the sun and still be found liable on the current judgement,” explains Hurst.
As a result, insider threats – employees who go rogue and steal or leak data for money, revenge, or negligence – suddenly become even more of a potential risk from a cost perspective than they were previously, whether data is leaked maliciously or merely unintentionally. Even the most GDPR-conscious company can now, in theory, be scuppered by an irate or careless employee whose job involves working near sensitive data and be left paying large compensation bills as a result.
If the Supreme Court does agree with previous rulings, the next stage is to decide what level of payout the 5,000 employees in the claim will be entitled to. Quite how costly this could be for Morrisons is yet to be seen. Hurst explains that the top end of payment claims under the previous Data Protection Act could go as high as £10,000-£12,000 per person. And while that is no small chunk of change for Morrisons to pay, it could set a precedent for payments to claimants in other data breaches involving insiders, even if the number of people affected reaches the hundreds of thousands or even millions. Given that Equifax is struggling to pay even the minimum $125 payout per person it owes in response to its data breach due to massive demand, a UK company in a similar position being required to pay thousands of pounds per head may find itself in serious difficulty.
The EU’s General Data Protection Regulation – and the UK implementation of this legislation, the Data Protection Act 2018 – give data subjects the right to compensation due to material and non-material damage as a result of infringement of this regulation, and group litigation claims are currently being run against BA, Marriott, and TicketMaster for data breaches that occurred in 2018, suggesting law firms won’t be shy about making claims on behalf of consumers if they smell an opportunity. While BA and Marriott have been fined by the UK data regulator, the ICO, for GDPR failings around their data breaches, no such ruling has been made against TicketMaster, highlighting the fact that law firms are happy to pursue litigation even without the kindling of a regulator’s rebuke.
You can’t contract yourself out of insider threat liability
Preparing for or attempting to mitigate such a potential scenario as the one Morrisons faces is difficult. A large number of companies are offering behavioral analytics solutions to try to provide insight into potential incidents, and policies such as disabling USB ports or restricting access to non-IT approved storage sites such as Dropbox, but there is no silver bullet to prevent this from either a technical controls perspective or a legal one.
“There is a degree to which you could attempt to put things in your employment contract to almost contract yourself out of liability for anything fraudulent or criminal,” explains Hurst, “but generally speaking that's not going to work.”
Along with robust employee training, Hurst recommends ensuring your cyber insurance policies are comprehensive to ensure companies are as covered as possible in the event a company is faced with litigation.
“It's largely unpredictable, and the ultimate backstop that you've got is your insurance policy, so review those. Look at the fact that liability is widening now in the UK, and potentially you're going to have these bigger claims coming in, so what's the limit? What's the upper level of coverage? And will it cover stuff done by employees who go rogue?”