Morrisons employee data breach – what lessons can be learned?
Morrisons recently hit the headlines in relation to its defence of a class action against it for breaching privacy and data protection laws. Over 2000 of its employees are reportedly grouping together to sue the UK supermarket retailer in what the press is already referring to as the biggest claim yet in London's High Courts relating to a mass data breach.
The data leak was caused by an ex-employee, Andrew Skelton, a former internal auditor for the company, who released details of around 100,000 staff. The data leaked included salaries, bank account details, national insurance numbers and dates of birth and employees claim that the leak has put them at risk of identity theft, bank account fraud and potential negative impact on credit ratings. Mr Skelton was jailed for eight years in July for leaking these details to newspapers and websites, even though the details were online for less than 24 hours. The Crown Prosecution had argued that Mr Skelton had harboured a grudge against the company after being disciplined at work after being accused of dealing in legal highs at work. His act of revenge has reportedly cost Morrisons more than £2m, a figure which will undoubtedly increase now that it is defending itself against its employees' claim that, as an employer, it had a duty to protect their personal data.
With a class action which is only likely to grow over the next few months as it gains momentum, the data leak is certain to have a harmful effect on the retailer's brand. Both Morrisons' employees and its customers will be feeling vulnerable knowing that the company was unable to protect employees' personal data. We are all well aware of the ever-constant threat presented by hackers, brought to light recently in relation to TalkTalk and, prior to that, Sony's data breach, the latter of which was blamed publicly on North Korean hackers. But what can companies do to protect themselves from financial and reputational damage which can be caused by the enemy within: a disgruntled employee?
From an employment perspective, employers should have in place clear and easily accessible data protection and disciplinary policies to avoid later argument over acceptable behaviour. Such policies should set out that employees are not allowed to disclose the personal data of other employees or customers, unless expressly permitted to do so in accordance with the relevant policies and procedures and that any policy breaches will trigger the disciplinary procedure. The Information Commissioner's 'Employment Practices Code' sets out best practice on this matter and recommends that: i) employees are made aware that they can be criminally liable if they knowingly or recklessly disclose personal information outside their employer’s policies and procedures; and ii) serious breaches of data protection rules should be made a disciplinary matter. There have been a number of employment tribunal cases in which the finding of a fair dismissal was linked to the existence of company policies, further highlighting the protection that policies can afford companies in an employee dispute.
Employers (as data controllers) should also remember that their obligations under the Data Protection Act 1998 (DPA) not only apply to current employees – but also towards former employees, job applicants, agency and casual workers and even volunteers, as the DPA affords protection to all such categories of individuals to ensure that their personal data is processed and protected in accordance with the DPA.
Any company that holds personal data is under a legal obligation to apply appropriate security measures to protect that data. Most of the work that is required to enable companies to satisfy legal obligations and meet expectations around data security should be done before an incident occurs. The key elements of such work include:
- Understanding the company's data flows and data processing operations.
- Carrying out and documenting a risk assessment on data processing systems.
- Carrying out due diligence on third parties that the company is seeking to engage to carry out the data processing on its behalf (and putting appropriate contracts in place to address security issues).
- Ensuring that the company's policies, processes and operational security measures are appropriate, in accordance with legal requirements.
- Creating a clear incident management plan, with management roles and reporting lines, covering all aspects of a security incident from detection all the way through to remediation of the security vulnerabilities that resulted in the incident.
- Raising internal awareness and training staff.
Given that data protection regulators increasingly expect to see evidence of board-level backing on data security and that employees across the country will be waking up to their data protection rights in the workplace following the Morrison class action, there has never been a more critical time for your organisation to have its policies, systems and physical security measures in good order.
We have considerable expertise advising retailers and companies in a variety of other sectors and have the employment, data protection and privacy law knowledge to help you identify gaps in your policy framework or your systems and deal with any potential DPA breaches. To arrange a meeting, please do not hesitate to contact either our Employment & Pensions team or our Privacy, Security & Information team.