UK Court Says Company Is Innocent In Massive Data Breach Caused By Vindictive Employee, But Must Nonetheless Pay Compensation
from the who-said-life-is-fair? dept
It’s well known that the EU has laws offering relatively strong protection for personal data — some companies say too strong. Possible support for that viewpoint comes from a new data protection case in the UK, which follows EU law, where the judge has come to a rather surprising conclusion. Details of the case can be found in a short post on the Panopticon blog, or in the court’s 59-page judgment (pdf), but the basic facts are as follows.
In 2014, a file containing personal details of 99,998 employees of the UK supermarket chain Morrisons was posted on a file-sharing Web site. The file included names, addresses, gender, dates of birth, phone numbers (home or mobile), bank account numbers and salary information. Public links to the file were placed elsewhere, and copies of the data sent on a CD to three local newspapers, supposedly by someone who had found it on the Internet. In fact, all the copies originated from Andrew Skelton, a Senior IT Auditor in Morrisons, as later investigations discovered. According to the court, Skelton had a grudge against the company because of a disciplinary process that took place in 2013. As a result of the massive data breach in 2014, Skelton was sentenced to eight years in prison.
The current case was brought by some 5,500 employees named in the leaks, who sought compensation from Morrisons. There were two parts to the claim. One was that Morrisons was directly to blame, and the other that it had “vicarious liability” — that is, liability for the actions or omissions of others. The UK judge found that Morrisons was not directly liable, since it had done everything it could to avoid personal data being leaked. However, as the Panopticon blog explains:
having concluded that Morrisons was entirely legally innocent in respect of Skelton’s misuse of the data, the Judge held that it was nonetheless vicariously liable for Skelton’s misdeeds
That is a legal bombshell as far as UK privacy law is concerned, since it means that a company that does everything it reasonably can to prevent personal data being revealed can nonetheless be held vicariously liable for the actions of an employee, even a malicious one. That clearly offers an extremely easy — if potentially self-damaging — route for disgruntled employees who want to harm their employers. All they need to do is intentionally leak personal data, and the company they work for will have vicarious responsibility for the privacy breach. In fact, even the judge was worried by the implications of his own decision:
The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims.
As a result, the judge granted leave for Morrisons to appeal against his judgment that it was vicariously liable. Hundreds of thousands of companies around the UK will now be hoping that a higher court, either nationally or even at the EU level, overturns the ruling, and sets a limit on those super-strong data protection laws.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: data breach, data protection, employees, eu, liability, responsibility, uk
Comments on “UK Court Says Company Is Innocent In Massive Data Breach Caused By Vindictive Employee, But Must Nonetheless Pay Compensation”
“The file included names, addresses, gender, dates of birth, phone numbers (home or mobile), bank account numbers and salary information. … As a result of the massive data breach in 2014, Skelton was sentenced to eight years in prison.”
Does anyone else think 8 years in prison is excessively long for this nonviolent offense?
I don’t think names, phone numbers, and addresses are private enough to justify this harsh sentence. You could get a person’s address and telephone number from a phone book or from a search engines that searches people. Salary could be estimated easily. And a lot of people email and post their bank account numbers online.
Re: Too Harsh, really?
Really? You do realize that is everything required to steal your identity and ruin your life. Literally they can put you in debt that takes decades to recover from. And it’s not one person that this guy sold information for, it’s many many many people, each facing a decade or more of dealing with their identity stolen and their credit in ruins. Potentially even lawsuits from companies that got defrauded, hiring lawyers, and so on.
You really think that 8 years is too harsh? Wow…
Re: Re: Too Harsh, really?
” You do realize that is everything required to steal your identity and ruin your life. “
and that is the problem, it should take more.
Re: Re: Re: Too Harsh, really?
You are correct in identifying the problem.
But since the problem currently exists, as it is, then I would say that this is the correct penalty.
Re: Re: Too Harsh, really?
I think a larger issue here is the whole idea of ‘Identity Theft’
In a fair world, if Bob uses Sally’s data to obtain a loan from DumbBank….
The victim of the crime is DumbBank.
The criminal is Bob.
Sally has nothing to do with any of that.
But the cards are stacked in favor of the banks so we end up with:
The Victim of the crime is DumbBank and they want their money back.
The criminal is Sally
DumbBank don’t give a crap about Bob as long as they get their money from Sally.
Whatever happened to innocent until proven guilty?
Re: Re: Too Harsh, really?
Don’t put him in prison, just heavily garnish his wages 20 years to go towards the damage done.
Re: Re:
Maybe… such things are always hard to judge. With 100000 victims, one could argue for more time too (8 years is about an hour per victim).
Slight correction
They offer little to no protection for protecting personal data from the government, particularly Germany and the UK.
Re: Slight correction
It would be interesting to see what happens if someone in the government did something similar to what Skelton did with personal data from the government – would the government be held liable in that scenario?
Hold on a Minute your honor!!!
Why were your Hands tied to reach such an outrageous verdict?
Was there really The Crown holding you hostage to reach such a ridiculus ruling?
Are judges in the nanny-state UK really that bound?
Inquiring minds want to know.
Re: Re:
Even judges in the US have times that they are required to set down a certain punishment, no matter what.
It’s a minimum sentencing/zero tolerance issue.
Re: Re:
Judges are there to uphold the letter of the law with regard to what is presented to them in court.
If there is a contradiction in law, or loopholes that perpetrators of crime manage to inflict harm through, it is not for judges of lower courts to then go about changing law willy-nilly.
The judge came to a conclusion based on law but, recognising the problem, allowed it to be challenged in a higher court.
That’s what they are supposed to do..
There is nothing unusual in this finding since this is how VL works in most common law countries when dealing with negligent conduct of employees that is also criminal.
It’s dependant (mostly) on whether the criminal conduct committed by employee could be considered within scope of the employment duties and whether the risk to the enterprise and therefore to others the employer held a duty towards was both foreseeable a not insignificant inherent risk.
Though this case (from first glance)w as only aboput the actual liability of the matter, it does not (and specifically states as much) deal with defences ( contributory negligence for instance, reasonable and honest mistake, and the big one.. Illegality) that might limit or even nullify any damages that could be recovered from the company.
Though the case might be purely dependant on the Act in question (Data Protection Act) it is very much a standard action on the case (tort of negligence) matter.
Oversight by companies
The question that I’m left with is: “Why do these companies entrust all that personal data to a single employee?”
Face it, if a company gives a single employee access to all this personal information, without the necessary (or functioning) oversight, is it not at least partly accountable for any breaches resulting from that access?
Would such a company give a single employee unsupervised access to all it’s financial keys permitting one person to rob the company clean?
Re: Oversight by companies
Quis custodiet ipsos custodes?
Your point is a good one, and to that end, companies (and everyone else) should (a) minimize the amount of data they collect (b) minimize the number of people with access to it (c) minimize the number of places they stash it (d) minimize the length of time they keep it and (e) absolutely not store it the cloud under any circumstances.
But even if all that’s done, there are still difficult problems to solve. Let me give you three points:
1. Two years ago, I was in a position to stroll out the door with many terabytes of medical data. I didn’t, of course: I defended it. In fact, I spent a huge number of hours making it MORE secure than it was when I started: more/better firewalls, encryption, isolating systems, further restricting access, moving it offline, deleting disused data, etc. But eventually I moved on. Someone replaced me. Are their intentions the same as mine? What about the next person? And the next?
2. It is INCREDIBLY hard to get people to understand that the data they work so hard to collect and manage and keep is an asset — in this case, it let them manage their employees, payroll, benefits, etc. — but it was also a huge liability. Believe me, I’ve tried to make people understand this and nearly everyone in nearly every case dismissed my concerns with a handwave and a dose of “but we’ve also done this but we’re no worse than anyone else but everyone gets hacked but we won’t get hacked”. (The work I described in point 1 took X hours. It probably took 2X hours to convince them to let me do it.) So perhaps this verdict sends a message that needs to be heard in terms that the recipients will understand.
3. There is a great deal of sound and fury over certifications and standards and formal processes and compliance and audits and blah blah blah. Wanna know a secret?
It’s all worthless.
It’s all an elaborate dodge to provide justification for keeping data that companies should never have had and shouldn’t keep but really want to hang onto. It provides plausible deniability and a long list of readymade excuses when something goes wrong. “No one could have foreseen” they will say. “We fully complied with standard 12345” they will say. “We take privacy seriously” they will say.
And every single word of it is complete bullshit.
Re: Re: Oversight by companies
This exactly.
Despite the story saying Morrison’s had done everything they could have, I have my doubts.
Most companies I’ve seen talk a great game and then have a list of master passwords on a share-drive or a system that allows what amounts to a full database dump to a USB.
Re: Oversight by companies
“Would such a company give a single employee unsupervised access to all it’s financial keys permitting one person to rob the company clean?”
I’m not entirely sure they did, though exact details seem to be scarce. In this case, the guy is described as an “senior IT auditor”, meaning that it’s his job to check for problems and would be in a position of responsibility for a national organisation. It would seem that instead of reporting a security hole, he chose to instead exploit it. He would also likely be the person at the top of the chain of command in that scenario, except perhaps the CIO, so constant supervision isn’t exactly something that would be expected.
I’m not entirely sure what the fix is for this but, unless there’s some details I’m missing, it’s not like they gave him a log in for the HR system and let him do anything he wanted. Even if you demand constant supervision, you have to be able to trust the supervisors, and so on.
Re: Re: Oversight by companies
Exactly the point.
You focus on the “how do we supervise?” problem but I’d rather focus on the “don’t put it all in the hands of 1 person” solution (no matter how high up the foodchain).
If the data had been distributed over multiple systems requring different people to sign off on, it would have been that much harder (if not impossible) for a lone wolf to organise such a breach.
Re: Oversight by companies
Right, Karl wrote “it means that a company that does everything it reasonably can to prevent personal data being revealed can nonetheless be held vicariously liable” without examining whether they really did “everything [they] can”. It’s hard for me to imagine why one person would need the phone number and date of birth for 100000 employees.
Personal data is toxic waste. Avoid gathering it whenever possible, and store with extreme care the rest of the time. Of the listed data set, gender and date of birth seem like information the company shouldn’t need at all.
Re: Re: Oversight by companies
Date of Birth determines retirement date. Gender? In some countries it may determine benefit eligibility (maternity/paternity, etc). No idea whether that’s true in the UK.
Re: Re: Re: Oversight by companies
Haven’t most countries done away with forced retirement? Retirement is now generally a one-time thing initiated by the would-be retiree. They can show ID when they file the paperwork.
And Skelten was described as a "Senior IT Auditor", not someone doing anything related to pensions or insurance.
If so, countries should fix their sexist laws. They should just need a doctor to confirm pregnancy, for people to receive maternity benefits; and a birth certificate to claim postnatal benefits. (BTW, men can get pregnant now, in countries that let trans-men update their IDs to say "male".) And as above, that can be checked when they want to claim the benefit; it does not need to be stored on every employee file just in case they’re going to have a kid.
Insurance companies sometimes want these data too, but companies should push back against it (especially if they’re claiming to follow anti-ageism/sexism policies).
Re: Re: Re:2 Oversight by companies
Date of birth still determines the age at which you shift from “early retirement” to simple “retirement”, which is an important thing that needs tracking in some companies’ employee-compensation systems.
Whether the benefits of designing a system such that it needs to track that outweigh the disadvantages of storing the date of birth is another question.
Re: Re: Re:3 Oversight by companies
How so? I’ve never heard of such a thing. Wouldn’t it be illegal to have compensation depend on age? If it’s to tell the employee how much pension they’ll get, they could give an age or a formula rather than a date, or even a webpage where the user enters a DoB (which is never transmitted/stored) and it’s calculated. Once someone actually chooses to retire, the can provide the DoB (which ideally would not be stored in a computer system once the benefit is calculated).
Sounds sensible. The employee should be criminally charged but the company should bear the costs of the cleanup to act as a wake up call to other companies to address such vulnerability and take steps accordingly (if thay haven’t already).
Although innocent, they are liable. I do not consider that strange: similar things happen if you cause a road accident. I consider this a very reasonable outcome. The company has control over who it hires to supervise the data, what data it collects, and so on, so if something goes wrong with the data, the company is the one who put the data in that position that it could go wrong, so they are the ones who will have to pay if things do go wrong (and take out insurance if that would cost them too much).
They could of course try to get that ex-employee to reimburse them, but it is doubtful his assets will cover that in full.
The law is an ass.
UK law is an ass and then some.