Morrisons data leak – the implications
The recent story surrounding the Morrisons data leak has important implications for the way organisations deal with personal data.
Recent developments in the Morrisons data leak case, originally dating back to 2014, have set some very important legal precedents for the way businesses handle personal data. In Kindus’ opinion, the way this case has been dealt with is a step forward for data security and demonstrates how tighter controls need to be implemented around personal data, especially in some of the larger businesses.
Back in 2014, senior internal auditor, Andrew Skelton, released the personal data of almost 100,000 staff, including bank details, names, addresses and salaries. Accused by Morrisons of dealing legal highs, Skelton would go on to send copies of the data to several newspapers in retaliation to these accusations. Despite attempting to cover his tracks through a fake email account, Skelton was jailed for eight years in 2015.
Whilst this could have been the end of the matter, things got interesting in 2017 when thousands of Morrisons staff decided to sue the company, claiming compensation for the ‘upset and distress’ caused by the data leak. They were fully justified for doing this because the real victims of Skelton’s actions were surely the staff members, whose personal data was leaked, putting them at risk of identity theft. After joining a large organisation like Morrisons, they also would have reasonably expected that their personal data would be stored securely.
By the end of 2017, the High Court ruled that Morrisons was also liable for Skelton’s actions, and should have done more to protect their staff’s data. Morrisons naturally appealed this ruling, but as of 22 October 2018, the Court of Appeal found that Morrisons was ‘vicariously liable for the torts committed by Mr Skelton against the claimants.’ Morrisons will now make an appeal to the Supreme Court.
This case is not conclusively closed, but in many ways, the High Court’s original ruling is a landmark judgement because it implies that organisations need to take full responsibility for the data protection of their customers and employees. It may seem a little harsh that Morrisons should take almost all the blame for Skelton’s actions, but on the flip side, if they were not considered responsible at all, there would be no incentive to tighten security controls. Individuals with malicious intent would be free to exploit weak controls and personal data would remain vulnerable. Of course, it may be difficult for an organisation to fully vet all staff members. Internal auditors will inherently receive authorisation to access sensitive data because that forms a part of their job. But clearly, tougher security controls are required in order to reduce the chances of something like this happening.
A data leak incident can happen to anyone. Kindus can minimise this risk for your organisation. We provide consultancy, advice, risk assessment and remediation in IT and cyber security and have a wealth of experience in implementing robust security controls. Please visit the relevant pages on the website to find out more, or get in touch with us directly here.