UK Court Says Company Is Innocent In Massive Data Breach Caused By Vindictive Employee, But Must Nonetheless Pay Compensation

from the who-said-life-is-fair? dept

It's well known that the EU has laws offering relatively strong protection for personal data -- some companies say too strong. Possible support for that viewpoint comes from a new data protection case in the UK, which follows EU law, where the judge has come to a rather surprising conclusion. Details of the case can be found in a short post on the Panopticon blog, or in the court's 59-page judgment (pdf), but the basic facts are as follows.

In 2014, a file containing personal details of 99,998 employees of the UK supermarket chain Morrisons was posted on a file-sharing Web site. The file included names, addresses, gender, dates of birth, phone numbers (home or mobile), bank account numbers and salary information. Public links to the file were placed elsewhere, and copies of the data sent on a CD to three local newspapers, supposedly by someone who had found it on the Internet. In fact, all the copies originated from Andrew Skelton, a Senior IT Auditor in Morrisons, as later investigations discovered. According to the court, Skelton had a grudge against the company because of a disciplinary process that took place in 2013. As a result of the massive data breach in 2014, Skelton was sentenced to eight years in prison.

The current case was brought by some 5,500 employees named in the leaks, who sought compensation from Morrisons. There were two parts to the claim. One was that Morrisons was directly to blame, and the other that it had "vicarious liability" -- that is, liability for the actions or omissions of others. The UK judge found that Morrisons was not directly liable, since it had done everything it could to avoid personal data being leaked. However, as the Panopticon blog explains:

having concluded that Morrisons was entirely legally innocent in respect of Skelton's misuse of the data, the Judge held that it was nonetheless vicariously liable for Skelton's misdeeds

That is a legal bombshell as far as UK privacy law is concerned, since it means that a company that does everything it reasonably can to prevent personal data being revealed can nonetheless be held vicariously liable for the actions of an employee, even a malicious one. That clearly offers an extremely easy -- if potentially self-damaging -- route for disgruntled employees who want to harm their employers. All they need to do is intentionally leak personal data, and the company they work for will have vicarious responsibility for the privacy breach. In fact, even the judge was worried by the implications of his own decision:

The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.

As a result, the judge granted leave for Morrisons to appeal against his judgment that it was vicariously liable. Hundreds of thousands of companies around the UK will now be hoping that a higher court, either nationally or even at the EU level, overturns the ruling, and sets a limit on those super-strong data protection laws.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breach, data protection, employees, eu, liability, responsibility, uk


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    3D Face Analysis, 7 Dec 2017 @ 8:08pm

    "The file included names, addresses, gender, dates of birth, phone numbers (home or mobile), bank account numbers and salary information. ... As a result of the massive data breach in 2014, Skelton was sentenced to eight years in prison."

    Does anyone else think 8 years in prison is excessively long for this nonviolent offense?

    I don't think names, phone numbers, and addresses are private enough to justify this harsh sentence. You could get a person's address and telephone number from a phone book or from a search engines that searches people. Salary could be estimated easily. And a lot of people email and post their bank account numbers online.

    link to this | view in chronology ]

    • icon
      MDT (profile), 7 Dec 2017 @ 8:16pm

      Re: Too Harsh, really?

      Really? You do realize that is everything required to steal your identity and ruin your life. Literally they can put you in debt that takes decades to recover from. And it's not one person that this guy sold information for, it's many many many people, each facing a decade or more of dealing with their identity stolen and their credit in ruins. Potentially even lawsuits from companies that got defrauded, hiring lawyers, and so on.

      You really think that 8 years is too harsh? Wow...

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Dec 2017 @ 7:39am

        Re: Re: Too Harsh, really?

        " You do realize that is everything required to steal your identity and ruin your life. "
        and that is the problem, it should take more.

        link to this | view in chronology ]

        • icon
          DannyB (profile), 11 Dec 2017 @ 6:04am

          Re: Re: Re: Too Harsh, really?

          You are correct in identifying the problem.

          But since the problem currently exists, as it is, then I would say that this is the correct penalty.

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Dec 2017 @ 7:58am

        Re: Re: Too Harsh, really?

        I think a larger issue here is the whole idea of 'Identity Theft'

        In a fair world, if Bob uses Sally's data to obtain a loan from DumbBank....

        The victim of the crime is DumbBank.
        The criminal is Bob.
        Sally has nothing to do with any of that.

        But the cards are stacked in favor of the banks so we end up with:
        The Victim of the crime is DumbBank and they want their money back.
        The criminal is Sally
        DumbBank don't give a crap about Bob as long as they get their money from Sally.

        Whatever happened to innocent until *proven* guilty?

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Dec 2017 @ 12:55pm

        Re: Re: Too Harsh, really?

        Don't put him in prison, just heavily garnish his wages 20 years to go towards the damage done.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Dec 2017 @ 10:05am

      Re:

      Does anyone else think 8 years in prison is excessively long for this nonviolent offense?

      Maybe... such things are always hard to judge. With 100000 victims, one could argue for more time too (8 years is about an hour per victim).

      link to this | view in chronology ]

  • icon
    JoeCool (profile), 7 Dec 2017 @ 8:15pm

    Slight correction

    It's well known that the EU has laws offering relatively strong protection from companies for personal data

    They offer little to no protection for protecting personal data from the government, particularly Germany and the UK.

    link to this | view in chronology ]

    • icon
      Lord Lidl of Cheem (profile), 8 Dec 2017 @ 1:34am

      Re: Slight correction

      It would be interesting to see what happens if someone in the government did something similar to what Skelton did with personal data from the government - would the government be held liable in that scenario?

      link to this | view in chronology ]

  • identicon
    oliver, 7 Dec 2017 @ 10:39pm

    Hold on a Minute your honor!!!
    Why were your Hands tied to reach such an outrageous verdict?
    Was there really The Crown holding you hostage to reach such a ridiculus ruling?

    Are judges in the nanny-state UK really that bound?

    Inquiring minds want to know.

    link to this | view in chronology ]

    • icon
      Killercool (profile), 8 Dec 2017 @ 5:03am

      Re:

      Even judges in the US have times that they are required to set down a certain punishment, no matter what.

      It's a minimum sentencing/zero tolerance issue.

      link to this | view in chronology ]

    • identicon
      Anonnn, 8 Dec 2017 @ 9:13am

      Re:

      Judges are there to uphold the letter of the law with regard to what is presented to them in court.

      If there is a contradiction in law, or loopholes that perpetrators of crime manage to inflict harm through, it is not for judges of lower courts to then go about changing law willy-nilly.

      The judge came to a conclusion based on law but, recognising the problem, allowed it to be challenged in a higher court.

      That's what they are supposed to do..

      link to this | view in chronology ]

  • icon
    G Thompson (profile), 8 Dec 2017 @ 1:14am

    There is nothing unusual in this finding since this is how VL works in most common law countries when dealing with negligent conduct of employees that is also criminal.

    It's dependant (mostly) on whether the criminal conduct committed by employee could be considered within scope of the employment duties and whether the risk to the enterprise and therefore to others the employer held a duty towards was both foreseeable a not insignificant inherent risk.

    Though this case (from first glance)w as only aboput the actual liability of the matter, it does not (and specifically states as much) deal with defences ( contributory negligence for instance, reasonable and honest mistake, and the big one.. Illegality) that might limit or even nullify any damages that could be recovered from the company.

    Though the case might be purely dependant on the Act in question (Data Protection Act) it is very much a standard action on the case (tort of negligence) matter.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Dec 2017 @ 1:18am

    Oversight by companies

    The question that I'm left with is: "Why do these companies entrust all that personal data to a single employee?"

    Face it, if a company gives a single employee access to all this personal information, without the necessary (or functioning) oversight, is it not at least partly accountable for any breaches resulting from that access?

    Would such a company give a single employee unsupervised access to all it's financial keys permitting one person to rob the company clean?

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Dec 2017 @ 1:37am

      Re: Oversight by companies

      Quis custodiet ipsos custodes?

      Your point is a good one, and to that end, companies (and everyone else) should (a) minimize the amount of data they collect (b) minimize the number of people with access to it (c) minimize the number of places they stash it (d) minimize the length of time they keep it and (e) absolutely not store it the cloud under any circumstances.

      But even if all that's done, there are still difficult problems to solve. Let me give you three points:

      1. Two years ago, I was in a position to stroll out the door with many terabytes of medical data. I didn't, of course: I defended it. In fact, I spent a huge number of hours making it MORE secure than it was when I started: more/better firewalls, encryption, isolating systems, further restricting access, moving it offline, deleting disused data, etc. But eventually I moved on. Someone replaced me. Are their intentions the same as mine? What about the next person? And the next?

      2. It is INCREDIBLY hard to get people to understand that the data they work so hard to collect and manage and keep is an asset -- in this case, it let them manage their employees, payroll, benefits, etc. -- but it was also a huge liability. Believe me, I've tried to make people understand this and nearly everyone in nearly every case dismissed my concerns with a handwave and a dose of "but we've also done this but we're no worse than anyone else but everyone gets hacked but we won't get hacked". (The work I described in point 1 took X hours. It probably took 2X hours to convince them to let me do it.) So perhaps this verdict sends a message that needs to be heard in terms that the recipients will understand.

      3. There is a great deal of sound and fury over certifications and standards and formal processes and compliance and audits and blah blah blah. Wanna know a secret?

      It's all worthless.

      It's all an elaborate dodge to provide justification for keeping data that companies should never have had and shouldn't keep but really want to hang onto. It provides plausible deniability and a long list of readymade excuses when something goes wrong. "No one could have foreseen" they will say. "We fully complied with standard 12345" they will say. "We take privacy seriously" they will say.

      And every single word of it is complete bullshit.

      link to this | view in chronology ]

      • icon
        R2_v2.0 (profile), 10 Dec 2017 @ 9:06pm

        Re: Re: Oversight by companies

        This exactly.

        Despite the story saying Morrison's had done everything they could have, I have my doubts.

        Most companies I've seen talk a great game and then have a list of master passwords on a share-drive or a system that allows what amounts to a full database dump to a USB.

        link to this | view in chronology ]

    • icon
      PaulT (profile), 8 Dec 2017 @ 1:57am

      Re: Oversight by companies

      "Would such a company give a single employee unsupervised access to all it's financial keys permitting one person to rob the company clean?"

      I'm not entirely sure they did, though exact details seem to be scarce. In this case, the guy is described as an "senior IT auditor", meaning that it's his job to check for problems and would be in a position of responsibility for a national organisation. It would seem that instead of reporting a security hole, he chose to instead exploit it. He would also likely be the person at the top of the chain of command in that scenario, except perhaps the CIO, so constant supervision isn't exactly something that would be expected.

      I'm not entirely sure what the fix is for this but, unless there's some details I'm missing, it's not like they gave him a log in for the HR system and let him do anything he wanted. Even if you demand constant supervision, you have to be able to trust the supervisors, and so on.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Dec 2017 @ 9:44am

        Re: Re: Oversight by companies

        Exactly the point.

        You focus on the "how do we supervise?" problem but I'd rather focus on the "don't put it all in the hands of 1 person" solution (no matter how high up the foodchain).

        If the data had been distributed over multiple systems requring different people to sign off on, it would have been that much harder (if not impossible) for a lone wolf to organise such a breach.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 8 Dec 2017 @ 10:02am

      Re: Oversight by companies

      Right, Karl wrote "it means that a company that does everything it reasonably can to prevent personal data being revealed can nonetheless be held vicariously liable" without examining whether they really did "everything [they] can". It's hard for me to imagine why one person would need the phone number and date of birth for 100000 employees.

      Personal data is toxic waste. Avoid gathering it whenever possible, and store with extreme care the rest of the time. Of the listed data set, gender and date of birth seem like information the company shouldn't need at all.

      link to this | view in chronology ]

      • identicon
        Chris Brand, 8 Dec 2017 @ 11:02am

        Re: Re: Oversight by companies

        Date of Birth determines retirement date. Gender? In some countries it may determine benefit eligibility (maternity/paternity, etc). No idea whether that's true in the UK.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 9 Dec 2017 @ 6:58am

          Re: Re: Re: Oversight by companies

          Date of Birth determines retirement date.

          Haven't most countries done away with forced retirement? Retirement is now generally a one-time thing initiated by the would-be retiree. They can show ID when they file the paperwork.

          And Skelten was described as a "Senior IT Auditor", not someone doing anything related to pensions or insurance.

          Gender? In some countries it may determine benefit eligibility (maternity/paternity, etc). No idea whether that's true in the UK.

          If so, countries should fix their sexist laws. They should just need a doctor to confirm pregnancy, for people to receive maternity benefits; and a birth certificate to claim postnatal benefits. (BTW, men can get pregnant now, in countries that let trans-men update their IDs to say "male".) And as above, that can be checked when they want to claim the benefit; it does not need to be stored on every employee file just in case they're going to have a kid.

          Insurance companies sometimes want these data too, but companies should push back against it (especially if they're claiming to follow anti-ageism/sexism policies).

          link to this | view in chronology ]

          • icon
            The Wanderer (profile), 10 Dec 2017 @ 11:56am

            Re: Re: Re: Re: Oversight by companies

            Date of birth still determines the age at which you shift from "early retirement" to simple "retirement", which is an important thing that needs tracking in some companies' employee-compensation systems.

            Whether the benefits of designing a system such that it needs to track that outweigh the disadvantages of storing the date of birth is another question.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 11 Dec 2017 @ 5:47am

              Re: Re: Re: Re: Re: Oversight by companies

              Date of birth still determines the age at which you shift from "early retirement" to simple "retirement", which is an important thing that needs tracking in some companies' employee-compensation systems.

              How so? I've never heard of such a thing. Wouldn't it be illegal to have compensation depend on age? If it's to tell the employee how much pension they'll get, they could give an age or a formula rather than a date, or even a webpage where the user enters a DoB (which is never transmitted/stored) and it's calculated. Once someone actually chooses to retire, the can provide the DoB (which ideally would not be stored in a computer system once the benefit is calculated).

              link to this | view in chronology ]

  • icon
    Ninja (profile), 8 Dec 2017 @ 4:49am

    Sounds sensible. The employee should be criminally charged but the company should bear the costs of the cleanup to act as a wake up call to other companies to address such vulnerability and take steps accordingly (if thay haven't already).

    link to this | view in chronology ]

  • icon
    Jeroen (profile), 8 Dec 2017 @ 5:24am

    Although innocent, they are liable. I do not consider that strange: similar things happen if you cause a road accident. I consider this a very reasonable outcome. The company has control over who it hires to supervise the data, what data it collects, and so on, so if something goes wrong with the data, the company is the one who put the data in that position that it could go wrong, so they are the ones who will have to pay if things do go wrong (and take out insurance if that would cost them too much).

    They could of course try to get that ex-employee to reimburse them, but it is doubtful his assets will cover that in full.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Dec 2017 @ 2:24am

    The law is an ass.

    UK law is an ass and then some.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.