The vicarious liability of data breaches and how to protect your organization

It’s bad enough when a data breach involves lawsuits from thousands of customers, but what happens when a staff member uses it against his employer?

The recent ruling from the UK Supreme Court addresses the nature of similar circumstances.

The case began in 2014 when a senior internal auditor for Morrisons Supermarket, a UK retail chain, went rogue and exposed the personal data of more than 100,000 staff. Payroll data including personally identifiable information, insurance and bank account numbers, and salary details were made available on a file-sharing website and eventually sent anonymously on CD copies to three newspapers.

Andrew Skelton, the perpetrator, was eventually convicted and sentenced to eight years in jail. In addition to Skelton’s sentence, Morrisons Supermarket was also charged with vicarious liability in the court case and faced civil proceedings from approximately 5,000 employees who argued that Morrisons was liable for the misuse of their data.

Data breaches aren’t a matter of if, but when.

Morrisons eventually appealed the charge, arguing that the 1998 UK Data Protection Act excluded vicarious liability, as explained by Cordery.

Fortify your cyber defense with people, process, and technology

Data breaches aren’t a matter of if, but when. As regulation on data privacy and protection increases, it’s vital that organizations secure a strong and resilient cybersecurity program. Following are measures that can help prevent and reduce the damage of a data breach. Data loss prevention: Data loss prevention (DLP) is an approach that restricts end-users from sending data outside of the corporate network. By implementing a data loss prevention (DLP) solution, organizations can detect not only for unauthorized attempts to access data but also transmission of confidential or sensitive information outside of the company network.

1. Web content filtering: This method restricts staff access to certain webpages and email messages based on category-specific content, similar to parental controls on a home computer. Guaranteed to lower the risk of unwanted data exposure by restricting access to potentially malicious sites, filtering web content has the potential to improve employee productivity.
2. Cyber liability insurance: Also known as cyber risk insurance or cyber breach insurance, this option provides coverage for the financial consequences of electronic security incidents and data breaches. While the price of insurance is determined on a case-by-case basis, organization should consider measuring the cost of cyber liability insurance versus that of a potential security or data breach.
3. Cybersecurity assessment: If you already have a strong cybersecurity program in place, why not put it to the test? Organizations can identify current vulnerabilities to ensure that their cyber program remains effective to protect against current threats. A cybersecurity assessment can also help to inform executives on the effectiveness of security training by exposing employees to external phishing campaigns, the results of which apply metrics on an organization’s ability to respond to a potential cyber incident.
4. Incident response plans: This plan is simply a set of instructions to help IT staff detect, respond to, and recover from network security incidents. A strong incident response plan establishes lines of accountability and maintains open lines of communication through the “lessons-learned” phase. Training with key stakeholders can ensure the plan remains active and relevant to emerging threats.
5. Cybersecurity awareness training: Yes, this is the annual training we have to check off each year. Phishing attacks account for more than 80% of reported security incidents, and hackers are rapidly developing new techniques for sending fake company emails. For staff on the front lines, it’s necessary to ensure they can effectively detect suspicious messages.

Vicarious liability was excluded from the 1998 UK Data Protection Act, the statute under which Morrison’s original charge fell. In May of 2018, however, this Act was superseded by what is known today as the General Data Protection Regulation (GDPR). On April 1, 2020, the UK Supreme Court ruled in Morrison’s favor that an employer is not normally vicariously liable where the employee was not engaged in furthering his employer's business, but rather was pursuing a personal vendetta. Morrisons, as expected, welcomed this ruling enthusiastically.

CIOs, CISOs, and other data security executives at globally operating organizations can expect to see similar growth in data privacy regulations across the world.

Despite this outcome, data breaches occurring today are still subject to legal proceedings depending on the applicable privacy regulation. In the United States, we’re currently witnessing the California Consumer Privacy Act (CCPA) adopt provisions that overlap with GDPR. With the ever-changing landscape of global economies, CIOs, CISOs, and other data security executives at globally operating organizations can expect to see similar growth in data privacy regulations across the world. By ensuring that their cybersecurity programs remain relevant and resilient to threats, organizations can reduce the impact when security incidents do occur.

Contact our cybersecurity experts to learn more and improve your data protection strategy today.