UK Court Says Company Is Innocent In Massive Data Breach Caused By Vindictive Employee, But Must Nonetheless Pay Compensation
from the who-said-life-is-fair? dept
It's well known that the EU has laws offering relatively strong protection for personal data -- some companies say too strong. Possible support for that viewpoint comes from a new data protection case in the UK, which follows EU law, where the judge has come to a rather surprising conclusion. Details of the case can be found in a short post on the Panopticon blog, or in the court's 59-page judgment (pdf), but the basic facts are as follows.
In 2014, a file containing personal details of 99,998 employees of the UK supermarket chain Morrisons was posted on a file-sharing Web site. The file included names, addresses, gender, dates of birth, phone numbers (home or mobile), bank account numbers and salary information. Public links to the file were placed elsewhere, and copies of the data sent on a CD to three local newspapers, supposedly by someone who had found it on the Internet. In fact, all the copies originated from Andrew Skelton, a Senior IT Auditor in Morrisons, as later investigations discovered. According to the court, Skelton had a grudge against the company because of a disciplinary process that took place in 2013. As a result of the massive data breach in 2014, Skelton was sentenced to eight years in prison.
The current case was brought by some 5,500 employees named in the leaks, who sought compensation from Morrisons. There were two parts to the claim. One was that Morrisons was directly to blame, and the other that it had "vicarious liability" -- that is, liability for the actions or omissions of others. The UK judge found that Morrisons was not directly liable, since it had done everything it could to avoid personal data being leaked. However, as the Panopticon blog explains:
having concluded that Morrisons was entirely legally innocent in respect of Skelton's misuse of the data, the Judge held that it was nonetheless vicariously liable for Skelton's misdeeds
That is a legal bombshell as far as UK privacy law is concerned, since it means that a company that does everything it reasonably can to prevent personal data being revealed can nonetheless be held vicariously liable for the actions of an employee, even a malicious one. That clearly offers an extremely easy -- if potentially self-damaging -- route for disgruntled employees who want to harm their employers. All they need to do is intentionally leak personal data, and the company they work for will have vicarious responsibility for the privacy breach. In fact, even the judge was worried by the implications of his own decision:
The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.
As a result, the judge granted leave for Morrisons to appeal against his judgment that it was vicariously liable. Hundreds of thousands of companies around the UK will now be hoping that a higher court, either nationally or even at the EU level, overturns the ruling, and sets a limit on those super-strong data protection laws.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, data protection, employees, eu, liability, responsibility, uk
Reader Comments
Subscribe: RSS
View by: Time | Thread
Does anyone else think 8 years in prison is excessively long for this nonviolent offense?
I don't think names, phone numbers, and addresses are private enough to justify this harsh sentence. You could get a person's address and telephone number from a phone book or from a search engines that searches people. Salary could be estimated easily. And a lot of people email and post their bank account numbers online.
[ link to this | view in chronology ]
Re: Too Harsh, really?
You really think that 8 years is too harsh? Wow...
[ link to this | view in chronology ]
Re: Re: Too Harsh, really?
and that is the problem, it should take more.
[ link to this | view in chronology ]
Re: Re: Re: Too Harsh, really?
But since the problem currently exists, as it is, then I would say that this is the correct penalty.
[ link to this | view in chronology ]
Re: Re: Too Harsh, really?
In a fair world, if Bob uses Sally's data to obtain a loan from DumbBank....
The victim of the crime is DumbBank.
The criminal is Bob.
Sally has nothing to do with any of that.
But the cards are stacked in favor of the banks so we end up with:
The Victim of the crime is DumbBank and they want their money back.
The criminal is Sally
DumbBank don't give a crap about Bob as long as they get their money from Sally.
Whatever happened to innocent until *proven* guilty?
[ link to this | view in chronology ]
Re: Re: Too Harsh, really?
[ link to this | view in chronology ]
Re:
Maybe... such things are always hard to judge. With 100000 victims, one could argue for more time too (8 years is about an hour per victim).
[ link to this | view in chronology ]
Slight correction
They offer little to no protection for protecting personal data from the government, particularly Germany and the UK.
[ link to this | view in chronology ]
Re: Slight correction
[ link to this | view in chronology ]
Why were your Hands tied to reach such an outrageous verdict?
Was there really The Crown holding you hostage to reach such a ridiculus ruling?
Are judges in the nanny-state UK really that bound?
Inquiring minds want to know.
[ link to this | view in chronology ]
Re:
It's a minimum sentencing/zero tolerance issue.
[ link to this | view in chronology ]
Re:
If there is a contradiction in law, or loopholes that perpetrators of crime manage to inflict harm through, it is not for judges of lower courts to then go about changing law willy-nilly.
The judge came to a conclusion based on law but, recognising the problem, allowed it to be challenged in a higher court.
That's what they are supposed to do..
[ link to this | view in chronology ]
It's dependant (mostly) on whether the criminal conduct committed by employee could be considered within scope of the employment duties and whether the risk to the enterprise and therefore to others the employer held a duty towards was both foreseeable a not insignificant inherent risk.
Though this case (from first glance)w as only aboput the actual liability of the matter, it does not (and specifically states as much) deal with defences ( contributory negligence for instance, reasonable and honest mistake, and the big one.. Illegality) that might limit or even nullify any damages that could be recovered from the company.
Though the case might be purely dependant on the Act in question (Data Protection Act) it is very much a standard action on the case (tort of negligence) matter.
[ link to this | view in chronology ]
Oversight by companies
Face it, if a company gives a single employee access to all this personal information, without the necessary (or functioning) oversight, is it not at least partly accountable for any breaches resulting from that access?
Would such a company give a single employee unsupervised access to all it's financial keys permitting one person to rob the company clean?
[ link to this | view in chronology ]
Re: Oversight by companies
Your point is a good one, and to that end, companies (and everyone else) should (a) minimize the amount of data they collect (b) minimize the number of people with access to it (c) minimize the number of places they stash it (d) minimize the length of time they keep it and (e) absolutely not store it the cloud under any circumstances.
But even if all that's done, there are still difficult problems to solve. Let me give you three points:
1. Two years ago, I was in a position to stroll out the door with many terabytes of medical data. I didn't, of course: I defended it. In fact, I spent a huge number of hours making it MORE secure than it was when I started: more/better firewalls, encryption, isolating systems, further restricting access, moving it offline, deleting disused data, etc. But eventually I moved on. Someone replaced me. Are their intentions the same as mine? What about the next person? And the next?
2. It is INCREDIBLY hard to get people to understand that the data they work so hard to collect and manage and keep is an asset -- in this case, it let them manage their employees, payroll, benefits, etc. -- but it was also a huge liability. Believe me, I've tried to make people understand this and nearly everyone in nearly every case dismissed my concerns with a handwave and a dose of "but we've also done this but we're no worse than anyone else but everyone gets hacked but we won't get hacked". (The work I described in point 1 took X hours. It probably took 2X hours to convince them to let me do it.) So perhaps this verdict sends a message that needs to be heard in terms that the recipients will understand.
3. There is a great deal of sound and fury over certifications and standards and formal processes and compliance and audits and blah blah blah. Wanna know a secret?
It's all worthless.
It's all an elaborate dodge to provide justification for keeping data that companies should never have had and shouldn't keep but really want to hang onto. It provides plausible deniability and a long list of readymade excuses when something goes wrong. "No one could have foreseen" they will say. "We fully complied with standard 12345" they will say. "We take privacy seriously" they will say.
And every single word of it is complete bullshit.
[ link to this | view in chronology ]
Re: Re: Oversight by companies
Despite the story saying Morrison's had done everything they could have, I have my doubts.
Most companies I've seen talk a great game and then have a list of master passwords on a share-drive or a system that allows what amounts to a full database dump to a USB.
[ link to this | view in chronology ]
Re: Oversight by companies
I'm not entirely sure they did, though exact details seem to be scarce. In this case, the guy is described as an "senior IT auditor", meaning that it's his job to check for problems and would be in a position of responsibility for a national organisation. It would seem that instead of reporting a security hole, he chose to instead exploit it. He would also likely be the person at the top of the chain of command in that scenario, except perhaps the CIO, so constant supervision isn't exactly something that would be expected.
I'm not entirely sure what the fix is for this but, unless there's some details I'm missing, it's not like they gave him a log in for the HR system and let him do anything he wanted. Even if you demand constant supervision, you have to be able to trust the supervisors, and so on.
[ link to this | view in chronology ]
Re: Re: Oversight by companies
You focus on the "how do we supervise?" problem but I'd rather focus on the "don't put it all in the hands of 1 person" solution (no matter how high up the foodchain).
If the data had been distributed over multiple systems requring different people to sign off on, it would have been that much harder (if not impossible) for a lone wolf to organise such a breach.
[ link to this | view in chronology ]
Re: Oversight by companies
Personal data is toxic waste. Avoid gathering it whenever possible, and store with extreme care the rest of the time. Of the listed data set, gender and date of birth seem like information the company shouldn't need at all.
[ link to this | view in chronology ]
Re: Re: Oversight by companies
[ link to this | view in chronology ]
Re: Re: Re: Oversight by companies
Haven't most countries done away with forced retirement? Retirement is now generally a one-time thing initiated by the would-be retiree. They can show ID when they file the paperwork.
And Skelten was described as a "Senior IT Auditor", not someone doing anything related to pensions or insurance.
If so, countries should fix their sexist laws. They should just need a doctor to confirm pregnancy, for people to receive maternity benefits; and a birth certificate to claim postnatal benefits. (BTW, men can get pregnant now, in countries that let trans-men update their IDs to say "male".) And as above, that can be checked when they want to claim the benefit; it does not need to be stored on every employee file just in case they're going to have a kid.
Insurance companies sometimes want these data too, but companies should push back against it (especially if they're claiming to follow anti-ageism/sexism policies).
[ link to this | view in chronology ]
Re: Re: Re: Re: Oversight by companies
Whether the benefits of designing a system such that it needs to track that outweigh the disadvantages of storing the date of birth is another question.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Oversight by companies
How so? I've never heard of such a thing. Wouldn't it be illegal to have compensation depend on age? If it's to tell the employee how much pension they'll get, they could give an age or a formula rather than a date, or even a webpage where the user enters a DoB (which is never transmitted/stored) and it's calculated. Once someone actually chooses to retire, the can provide the DoB (which ideally would not be stored in a computer system once the benefit is calculated).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
They could of course try to get that ex-employee to reimburse them, but it is doubtful his assets will cover that in full.
[ link to this | view in chronology ]
UK law is an ass and then some.
[ link to this | view in chronology ]