Morrisons’ data leak ruling highlights the inherent risks that exist for all companies
Another day, another company feeling the effects of a data leak. This time the company in the spotlight is UK supermarket chain Morrisons, one of the country’s biggest food retailers.
While this is not an entirely new case – the initial incident actually took place in 2014 – it is significant because the supermarket chain has now lost an appeal against a High Court decision that it should compensate thousands of its employees after their data was compromised.
One of the aspects that sets this case apart from other high-profile data scandals is the manner in which it happened.
A different type of data breach
Rather than being the result of a targeted external attack by hackers hoping to steal information, such as those which previously hit Equifax and TalkTalk, Morrisons suffered an internal information breach.
One of the food retailer’s former employees leaked personal information of about 100,000 staff members and distributed it to newspapers and online.
Andrew Skelton, the former employee in question, was himself jailed for eight years over the incident in 2015. However, despite Morrisons arguing that they couldn’t also be held responsible for the breach, the Court of Appeal disagreed.
The company released a statement saying: “Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues”.
‘Warning bells’ for every business
However, Richard Hayllar, partner at UK law firm TLT, was quoted by City A.M. as saying: “The fact that the Court of Appeal has confirmed that Morrisons is vicariously liable for the loss resulting from the criminal actions of a former employee will sound warning bells and have significant ramifications for every business”.
This is a landmark case which clearly highlights the fact that risk exists in every organisation, because it is an inherent part of working with data. That much is obvious.
But the number of different touchpoints that typically exist within businesses, especially large ones, mean that there may be even more risks than you previously imagined.
Customer data, supplier data, employee data. The type of data – and how it’s leaked into the public domain – isn’t the most significant thing here. Rather, what the Morrisons case makes clear is that the company which held the information will, in all likelihood, face some kind of liability.
Going beyond holistic data management
Therefore the question is, while you may have an overall, holistic data management strategy in place, what steps can you take to ensure your individual employees (who are working with supplier data on a daily basis) are compliant?
First and foremost, the most effective thing you can do is put very clear and thorough data protection measures and policies in place in the first instance.
Again, you may be thinking that your contracts – such as employment contracts – already include this. But, given that new methods of creating, storing, using and exporting data are always coming into play, are your protection policies actually being updated regularly enough to reflect this?
Here are the key things you need to consider:
- Explain clearly what will happen if supplier data is compromised (what action will you take)
- Prioritise detailed internal training and awareness for your employees
- For those working with extremely sensitive information, make it a requirement for them to sign non-disclosure agreements (NDA)
- Implement a data management system such as HICX which enables Access Level Control and allows you to assign different permissions to users based on their role, department, geography, etc.
- Make sure all of the data your organisation holds, be it employee, customer or supplier data, is encrypted when it’s created and saved