A recent court decision, involving the UK’s first ever data breach class action, has significant data protection implications for every business in the country that holds personal data on employees, customers or suppliers. The decision opens the way for victims of data breaches to sue those who hold the data, even if it has been leaked criminally by an employee.
The High Court case, brought by 5,500 employees of the supermarket chain Morrisons, found that the company, as data controller, was responsible for a very serious data breach caused deliberately by a malicious employee. The employee concerned, Andrew Skelton, a senior internal auditor at the retailer, leaked the payroll data of 100,000 employees by sending it to newspapers and publishing it online, after being accused of dealing in legal highs at work. He has already been jailed for 8 years, back in 2015, for his actions.
The leaked data included names, addresses, bank account details, NI numbers and salaries, so it was classed as sensitive personal data, and was certainly enough for criminals to steal the identities of all those employees. The stress caused by this possibility led to the class action against the company.
Even though Morrisons was also the victim in this case, and awarded £170,000 in compensation against its former employee, it found itself landed with costs of around £2 million to rectify the leak and is now facing a potentially huge payout to thousands of employees. The finding in this case will equally apply to any business, large or small, that suffers a data leak by an employee or even former employee. They are likely to be found responsible for the leak, having appointed the employee, and could face class action compensation claims, as well as clean up costs, from those whose data has been lost.
The message to CIOs, CTOs and small business owners is clear. You must take action now to put in place a leading edge monitoring solution that will patrol your networks 24/7 and spot suspicious internal activity as soon as it occurs. The best solutions, such as behavioural monitoring solution ThreatSpike, will withdraw user rights and notify system administrators immediately, so limiting the damage that can be done by a malicious insider.
With the entry into force of the EU GDPR in May 2018, which gives data subjects the right to compensation for breaches of the Regulation, this threat is not going to go away. No matter what size your business, if you do not take action now to protect your data from the insider threat, you will be exposing both your business and yourself to an unacceptable risk of data leakage and financial liability. Solutions are available to mitigate the threat. Please don’t wait to take advantage of them.
Head of Cyber Security