If Morrisons is liable for what an employee did ...
then is the USA Commander in Chief (currently one D Trump) liable for what was released by Chelsea Manning ?
Brit supermarket chain WM Morrisons is headed for the Supreme Court to fight an earlier ruling that made it liable for one disgruntled employee dumping the personal details of 100,000 colleagues online. As we reported back in October, the Court of Appeal upheld an earlier verdict holding the supermarket chain responsible for …
"The buck stops here"
Even if the company took reasonable precautions to protect the data, they did lose the data.
Policies and procedures are put in place to minimise the risk of rogue employees, however the entity is responsible for ensuring the data is protected, so the entity and its officers must be held to account, whether that's as an individual (Chief) level if they have failed, or the company (DoD) as a whole.
I disagree. You'd have a point if the data was left out on a desk easy to grab. But if the person goes to extreme lengths due to finding a flaw in process, then as long as that flaw isn't something that's stupidly obvious that should of been plugged ages ago or a hole that was previously report but ignored, then you can't really blame the company owners for the lose.
The current paulf & co do allow employees to put personal items in the outgoing mail and have them franked at the rate prevailing from Royal Mail; BUT employees are expected to indicate they're personal items and to reimburse the company for the postage. This is a big benefit (at a cost to the company of having to deal with the extra franking and cash handling) as it saves a trip to the post office AND we pay the Mailmark Franked rate (where standard 1st class is 1p cheaper than a 2nd class stamp) but it's not a freebie nor could one reasonably expect it to be.
"at a cost to the company of having to deal with the extra franking and cash handling"
Well Franking costs pretty much nothing, and when you start charging for postage that probably costs as much to deal with as the cost of the post you are charging for.
I have always just put personal items like bill payments, etc in the corporate out tray and considered it as perfectly normal and reasonable to do so.
Logically - YES.
They requested the information, they held the information, they failed to provide mechanisms to stop somebody grabbing it all, not to mention the question of vetting the employee access, functional restrictions and/or oversight.
This has to result in a Yes verdict, otherwise every data breach from that day forward will be a case of "rogue employee, nothing to do with us".
Yes. I agree. Unless the company can show that they took all reasonable precautions against a rogue employee misusing the information... Reasonable precautions would include locking down removable media, restricting inbound and outbound network traffic, only allowing access to aggregate/summary data for selections of more than a certain size and many many more. Oh yes, and no BYOD.
With that level of "reasonable" precautions, who would work there? I would rapidly take offence at a system designed on the premise that I was guilty of criminal intent and needed to be stopped.
And who will implement such a system? What if they themselves turn rogue? It's people all the way down!
Even highly-classified military stuff is secured against employees only to the extent that they won't *accidentally* leak. An employee deliberately setting out to leak - from a spy to a whistleblower - will more-likely-than-not succeed if they make a serious effort.
" I would rapidly take offence at a system designed on the premise that I was guilty of criminal intent and needed to be stopped."
That's precisely how I design the Infrastructure I design and implement.
Assume EVERYONE is a malicious actor and/or an idiot.
An auditor doesn't have any special permissions. They'll have what they need for their job and not an ACL more. Certainly nobody needs access to the whole payroll database on a machine that hasn't been locked down.
Just to point out, (networked) backup software can throw a spanner into the workings of any good permissions/auditing system.
If someone gets hold of the backup system's login credentials, it's often a case of "game over" security wise.
A thought-provoking response from Nick Kew - thank you, Have an up-vote - though I disagree.
In response, I would suggest that one test of whether the precautions are 'reasonable' would be to examine the risk/impact for the company. These days, infringing GDPR can have very serious repercussions for a company so although the risk may be the same as before, the impact is much higher. I don't know if the events in question are pre- or post-GDPR but companies should have been preparing long before the deadline. Also, I would contend that the majority of the precautions I suggested would be the same to prevent malware getting onto and/or ex-filtrating information from systems handling sensitive (personal, in Morrisons case) information; and there's no reason for an employee to feel they're being unfairly treated.
As for countermeasures against spies/whistleblowers: well, that's why a court should decide if the precautions were reasonable. If a case has come to court they clearly weren't adequate but that's a different matter.
I would rapidly take offence at a system designed on the premise that I was guilty of criminal intent and needed to be stopped.
So you'd never take a job where you need a pass to gain access to the office, then have to log in to use computer systems, and even then you can't access much of the stored data? I don't give much for your chances of finding employment.
Personally, far from resenting information security features that restrict my capabilities, I mostly value them. It's tiresome to have to jump through hoops to access anything sensitive, but it's reassuring protection against inadvertently damaging or revealing stuff.
> Yes. I agree. Unless the company can show that they took all reasonable precautions against a rogue employee misusing the information.
There is no 'unless' here. Morrisons should be liable. Taking all reasonable precautions can (and should) reduce the fine but it can't absolve them of responsibility.
Fair point AC. Yes, the punishment should fit the crime. If they've been lax they should be punished. If not then they get a token slap on the wrist. Someone else here used the horrible term 'best practice' but it's applicable here IMO. Even if they've not been lax, their system protection was not adequate in this case and *someone* still has to pick up the bill to protect the people who had their information leaked.
From this, and previous, articles it describes Skeltons very job as being the/an IT Auditor.
By default, i expect this to mean he has (oops had*) unfettered access to the entire IT system, had the responsibility to test every procedure and recommend/implement changes (presumably improvements). Difficult to see how he could do his basic job otherwise.
* If he has somehow maintained access to their systems, are Morrisons liable for further events or can they continue to rely on the defence of "It was a rogue employee that did it". Surely not.
The primary cause of it all was for disciplining a single employee (out of some 100,000) for misappropriating company resources. Why just one? I'd assume a minimum of 1,000 were doing the same.
Considering the size of Morrisons as a group, if he was, as you say "the" IT auditor, then there is something VERY wrong with how Morrisons are internally audited. No one auditor should ever have that much access - solely; and Morrisons should have been more vigilant in understanding the risks, and in implementing technologies and strategies such as UAC and DLP.
So yes, they are absolutely liable because they have been negligent in their responsibilities in regards data access rights, security and handling.
By default, i expect this to mean he has (oops had*) unfettered access to the entire IT system, had the responsibility to test every procedure and recommend/implement changes (presumably improvements). Difficult to see how he could do his basic job otherwise.
Not necessarily. Auditors often have no access to the systems at all and work with people who do, to gather the evidence to support the audit. This applies both to internal and external auditors.
@ "It is always people who leak data", I disagree, data can also leak via hacking, bad security practices and general stupidity i.e. incompetence for which they should have insurance.
The company is the one who collected the data therefore they are responsible for it's safe keeping, if it gets away from them then they are the one who has failed and should be held responsible, I have heard the rogue employee excuse far too often in the press for it to still be a surprise to anyone.
If it is not a surprise and it still happens then due diligence has not been followed by the company, hence company fail.
The exposing employee is seperately guilty of a number of computer crimes but the company's security practices allowed it to happen so they must share a portion of the blaim.
Disgruntled employ runs amok, heard this before?
Hacking is done by people. Crap security that allows it to happen is done by people.
The law may say that a company is a person in its own right, but that is mostly about property ownership so you don’t have to change the title deeds, contracts and so on every time the people in a company change , but in reality, a company is just a group of people who get together for a particular purpose. So this means that a person or people within a company do something as part of their work for the company, the company is liable, even if other more senior people in the company prohibited it. The legal authority for this is actually a Morrisons case - Mr AM Mohamud v WM Morrison Supermarkets plc  UKSC 11. https://www.supremecourt.uk/cases/uksc-2014-0087.html
 As an example, in England, a partnership is not a legal person, so every time the partners change, you do have to update all the contracts etc every time the partners change. A Scottish partnership is a legal person, even in England, so you don’t.
Finding an employee criminally liable for an act being sufficient to remove an employers liability is a relatively low standard for data breaches in my opinion.
My understanding is that he had legitimate access to the information for his job (i.e. no hacking etc required to get access to the data) and went "rogue".
If so, in my opinion, the employer should have to demonstrate industry standard practices were followed for training, systems and procedures to ensure data was handled correctly and the employer was taking steps to reduce the risk of disclosure. I would be tempted to err on the side of best practices rather than just standard practices.
But I think thats not the point in question - and it should be.
It's worth noting that Supreme Court Appeals are usually for clarifications on points of law - rather than the facts of the case, so I suspect the wrong aspects are being appealed.
Whats being appealed is the applicability vicarious liability in this case, NOT whether Morrisons sufficiently restricted the access of their IT auditor - which is what they should be judged on. If they made reasonable attempts to provide the auditor with a minimum level of access for his role (say logs only), rather than say SA or equivalent, then I don't think they have a case to answer for damages. If they just shrugged and gave him SA then throw the book at them.
I suspect that the case hinges on the fact that the employee in question was an IT auditor. To remove their elevated access would render them unable to do their job, it would be constructive dismissal even if they did not actually fire him.
Is it reasonable to (effectively) fire someone for a relatively minor disciplinary offence because of what they theoretically might do if they go rogue? Almost certainly not as ruled by many industrial tribunals over the years.
So they may argue that the law put them between a rock and a hard place. Unless they have actionable intelligence that he was going rogue - that would stand up in a tribunal - they were kinda stuck.
I don't want companies to be able to escape liability for data leaks but I do not think this case is quite as simple as that. As always the specifics of the case are what a court should rule on and I think that these are interesting specifics that are worth considering in the highest court. The legal question is - does data protection law require employers to over-react to minor disciplinary matters where an employee might foreseeably have access to personal data? That affects a lot of us in the IT industry and would have a serious impact on the employment rights of anyone with such access.
"It's really not difficult to limit access to data"
It's easy enough to limit the access of an average employee, but what if (for example) they're the sysadmin in charge of backups? Or, as in this case, an auditor?
That said, if someone requires a high level of access, then the next best thing would be to log their actions as closely as possible. However, that only helps identify them after the event, it doesn't stop them from copying all payroll data on to a USB stick.
"The difference is usually those in mental institutions had no choice - those in prisons usually had."
An interesting and conventionally accepted point of view which neuroscience would perhaps somewhat challenge.
If breaking the law is irrational, because the punishment outweighs the benefit, and if expecting to get away with it is irrational, then almost by definition the crime was an irrational act, and therefore the criminal was in some way mentally deficient in their decision making.
We are now reaching the point where we know that there is a quantitative and qualitative difference in the brain chemistry of people who struggle with their weight, people who become addicted, people who are late, people who commit antisocial behaviours, including crimes.
The difference between a mental institution and a prison is one of degree not kind, and the differentiation is arbitrary, inconsistent, and varies with time.
No. Some criminal are also mentally ill - but not all criminals are mentally ill. While most people in mental institutions never had a choice about their lives, many criminals had - they deliberately chose their path because they saw personal advantages in that.
Taking the wrong decision is not a "mental deficiency", sorry - sure, we are not all alike - but a real mental illness is a true different thing. It is also true that in the past many behaviours were considered illnesses and now not - as a scientific approach took place instead of a social one.
Spend some time with those people, you'll learn the difference.
And I'm not saying a mentally ill persons can't be dangerous to themselves or others, just you can't put them on the same plane of criminals.
I am not sure "I won't get caught" is what motivates something like this. To me it seems more like "my enemies have stuck a blow to me, but I am mightier than they and the world shall see it when I strike a more damaging return blow."
In fact he sounds perfectly capable of anonymising via Tor or whatever, but that might not have worked emotionally if it would not have demonstrated his power.
If I have read the article correctly then this appeal is around the extent of 'vicarious liability' in which case it has much wider implications than just the Morrison's case. The principal that 'an employer is liable for the acts of his servants' is firmly held in civil and commercial law and, having gone to the Supreme court, if Morrison's win this then everybody else in roughly analagous positions will be quoting this case as precedent.
Held liable for damages caused to a third party: Yes.
There's a big difference. If a company has stored personal data and it is leaked by an employee (or, TBH, in any way including hacking etc) they should be liable for the damages/costs/etc of the thrid party/ies whose data has been lost. This should not be dependent upon whether they have taken reasonable precautions. If they hold that data and "lose" it, their actions (in holding that data) have cause damage/loss to the third party and they deserve compensation.
If a company has not taken all reasonable precautions to secure that data, it should also be liable for punitive damages (i.e. punished) over and above the tangible losses incurred by the third party.
In fact, thinking on it further, they should be held joint and severally liable along with the parties who committed the offence (where it was from malicious action by a bad actor).
By making it this way, the company could be forced to pay out, but they could take action to recover that (as far as possible) from the other parties involved (hacker, rogue employee etc).
Being held liable *is* a form of punishment. It has measurable financial and reputational effects, whether it is a minor RTA or a major incident.
(I don't know why I am so caught up in this! My sympathies are entirely with the people whose data was stolen, but it just seems inequitable to make an employer liable for the loss caused by a malicious actor if (and only if) the employer followed best practice at the time.)
> If I have read the article correctly then this appeal is around the extent of 'vicarious liability' in which case it has much wider implications than just the Morrison's case.
Where does the chain of responsibility and therefore vicarious liability stop? If they lose, can Morrisons simply argue (in the class action case) that they were compelled to collect personal information by tax and employment law and therefore the Government are liable?
Oh no, wait, Governments never take responsibility for the consequences of laws they pass. Carry on as you were.
It seems to me that if the company took the reasonable precautions, then they should not face criminal charges. But they should remain civilly liable for the release of info that they collected. Unless the info was released by a Higher Power, such as the government. An employee is not a Higher Power. I don't understand the kerfuffle. I guess that's part of the reasons why IANAL.
If a company is liable even when it took reasonable precautions (whatever that might mean) and an employee acted both against company policy and criminally then this is a risk which companies cannot mitigate against whatever they do. This seems grossly unfair to me. The idea that any system can be developed which is prove against employees acting deliberately malicously and criminally is complete fantasy and if the decision stands as is it simply means that a company is always liabel however extreme and complete the precautions they take are. The effect of this is that the only 'defence' is insurance, which will be expensive and many private individuals/small companies/charities will be at risk because of someone acting malicously and with a grudge who is willing to take the consequences of acting criminally in the sure knowledge that even though they are responsible for a criminal actions their employer will be liable.
I think this is about the degree of liability and whether sufficient precautions were indeed taken; and in the case of someone in the payroll department being able to dump personal details so easily, this does not seem to be the case.
Companies find it often very easy to pin the blame on "rogue" individuals. The banks did this over LIBOR and Wall Street apparently over ever had a few "rogue" traders during the financial crisis.
The problem is that there are 2 sides to the liability.
The first is to "force" companies to take reasonable precautions and do their utmost to protect personal data.
The second side is to compensate those affected. A data breech could easily lead to serious problems for those whose data has been leaked. In this particular case, I see this as the more important of the 2: The staff involved will have had a lot of work to do to protect themselves from the leak, could well have more indefinitely in the future, and could well have suffered hardship from it, too. They gave this information (probably without any choice in the matter) to their employer and can reasonably expect it to remain private. Whether the employer took all reasonable precautions or not, they deserve to be compensated for anything resulting from this loss.
Let's consider a trivial case: Your friend needs a laptop to do some work, so you lend him your expensive, top end one for a few days. He keeps it at home in a locked drawer when not in use, and his house is secured (locked and, potentially, alarmed). However, while he is out, someone breaks in and steals this laptop.
Would you expect him to replace it? Unless I had insurance which would be valid in this case, I certainly would (and even with insurance I may expect him to stump up the excess). While I would be sympathetic, I would have loaned him something of value for his benefit (not my own) and would expect it returned in one way or another. He would, in the terms of this article, be liable for the loss (IMHO).
Part of the problem is that, if vicarious liability goes too far, a disgruntled employee could do something that will bring down the entire company due to inability to afford the damages. This could be worth risking/going to prison for, in some people's minds. There has to be some level of reasonableness in the test - as an extreme example, consider a zero-day exploit that the disgruntled employee knows about, but againt which there is currently no defence: it would be unjust to hold the company liable in this instance. Best - not bleeding edge - practice should be the guiding principle for whether the company had the proper safeguards in place - security, as we know, is a trade-off against convenience.
If someone burgled or burned down my house, that could bankrupt me. If I crashed my car into a priceless historic building or a crowd of people, the damages in a court case could bankrupt me.
That's why I have insurance.
If a companies warehouse was burgled, even as an inside job by disgruntled employees, that could force them out of business. They have insurance for that. Why not to cover against claims from the loss of data? Or should the employees have to cover the losses themselves?
"If a companies (sic) warehouse was burgled, even as an inside job by disgruntled employees, that could force them out of business. They have insurance for that. Why not to cover against claims from the loss of data? Or should the employees have to cover the losses themselves?"
I'm sure that, before they issued insurance against such threats, the insurance companies would insist on examining the company's IT security precautions, maybe bringing in an IT auditor to...
Part of the problem is that, if vicarious liability goes too far, a disgruntled employee could do something that will bring down the entire company due to inability to afford the damages.
Not in the UK it couldn't. And even in the US, where payouts can be unlimited, this rarely happens and even it's likely, Chapter 11 is a handy card to play: look at the utility in California that played it over the forest fires.
But criminal liability is a separate issue from any form of reparation. The lack of it can be seen in the farce currently being played out in Germany over VW's egregious rule-breaking: public companies can in Germany not be held criminally liable. Difficult to argue in favour of that I think.
I don't agree. Whilst large companies might be able to absorb mass damages, small companies could end up going to the wall - it has happened in the past.
I am fully aware that criminal and civil aspects are separate, and I have no comment on the criminal aspects of the case. I *do*, however, think that vicarious liability is a poor tool for dealing with situations where a malicious actor deliberately does something that couldn't reasonably be mitigated against*.
*Note that I don't know whether Morrisons security met with best practice - I haven't read anything either way.
If a company is liable even when it took reasonable precautions (whatever that might mean) and an employee acted both against company policy and criminally then this is a risk which companies cannot mitigate against whatever they do. This seems grossly unfair to me. The idea that any system can be developed which is prove against employees acting deliberately malicously and criminally is complete fantasy and if the decision stands as is it simply means that a company is always liable however extreme and complete the precautions they take are.The other aspect of this is that the collection of private data is not something that can be avoided in most areas of life and is inevitable in providing many services. The effect of this is that many organisations of commercial and charitable nature will be subject to potntial liability which they cannot avoid whatever actions they take. The only 'defence' is insurance, which will be expensive and many private individuals/small companies/charities will be at risk because of someone acting malicously and with a grudge who is willing to take the consequences of acting criminally in the sure knowledge that even though they are responsible for a criminal actions their employer will be liable.
The problem with not holding the company liable in civil law is that there's then no redress for those injured. Where these are numerous it's not going to be possible for them to obtain it from the perpetrator. The real difficulty in this case is that the employees affected are collateral damage from an attempt to injure their employer.
I wonder if there are actual damages to any employees.
The crux will be were the precautions reasonable?
Certainly allowing write access to external media would be very poor practice when sensitive data is being accessed.
Lots of small companies up and down the country where policy prevents a user using (i.e. nt even reading) / and definitely bar writing to a USB stick (or whatever other external device) they conect to thier work PC).
Sensitive data and external device usage should always ring alarm bells, and if there is a legit reason, then normally you would ensure close monitoring to prevent abuse.
There is no way to totally protect data, but if basic safeguarding is neglected then company should bear some responsibility - a bit like my house insurance, if nobody in the house and house left unoccipied with doors unlocked, then insurance company will not pay out if it gets burgled as house owner did not take sufficient precautions.
Safeguarding sensitive data can be difficult and expensive, but Morrisons are not exactly a small, poor company, so no excuse for shoddy practice IMHO.
There is a saying that we learn early in law school - "hard cases make bad law". Whilst the saying is overused, I have always taken it to refer to a case that will set a precedent that can reasonably be foreseen to be abused regardless of the decision. This is one such situation - either it will make companies more exposed to harm, or it will leave uninvolved others vulnerable. Whilst I have not had a great deal to do with commercial law since I was an undergraduate some 20 years ago, I do know that, in cases of tort, the availability of insurance is often the deciding factor, so the CoA were simply following previous precedent.
There's no good answer to this one. Punishing the company for his actions isn't right, nor is it right that genuine damages to the data subjects would go uncompensated.
Perhaps a pragmatic approach would be for the damages to be treated as separate liabilities (on a percentage basis for blame as attributed by the judge), but with Morrissons having to front the damages attributable to their ex-employee as a loan if he is unable to pay. Morrissons may end up out of pocket, but the actual perpetrator ends up with a garnished income that would follow him around from then on - making him face the financial penalties as well as the criminal penalties for what he's done. Not a perfect answer by any means, but better than just hitting Morrissons.
As has been mentioned, if you say "No they can't be held responsible." then all breaches could be just blamed on a rouge employee. But if all reasonable checks and protections were put in to stop data being stolen, but that rogue employee managed to discover a way round said restrictions, then surely you can't blame the company. Especially if those holes weren't massively obvious.
Don't spies operate on a friendly bases. As in, keep your enemies close, hide in plan sight. Be friendly, act trustworthy so that no one suspects. Would you say the FBI is responsible for Robert Hanssen's actions or was that just a man in a position of trust who knew how to exploit that position.
If Morrisons did everything they could to avoid such a lose yet the person managed to find the tiniest of holes, then surely you can't blame Morrisons.
Nah, I'm thinking you can blame them. As I learned from Root Cause Analysis, it is Management's (ergo, the Company's) fault.
Even if, as in this case, it was a rogue employee, who hired him and gave him that access? Management. Who crapped on his morale to the point where it seemed to him that it was worth prison to damage the company? Management.
Even if it was just one instance of correcting undesirable behaviour, they hired someone that would flip their shit at one disciplinary action; thus it's their fault.
The causes for something like this are in hiring, training, and/or working environment; and management controls all of those.
That is why long-standing law and precedent holds corporations liable for the actions of their employees.
The trouble is, it waters down personal responsibility. In your Root Cause Analysis, the individual is invisible - it is always somebody else's fault. The real reasons why somebody did something that led to bad things might be absutely nothing to do with the work environment. In this case, the Root Cause was that a person took a decision to screw over his colleagues because he'd been disciplined.
Of course, it should then also apply to such as those who incorrectly e-mailed out the Journo's details on the porn age thing : https://www.bbc.co.uk/news/uk-47962405
And as Swarthy says above, it is Management's failings that are the real fault not the rogue/hapless employee that does the actual deed.
As has been said multiple times, it is only when govt (national AND local) employees, especially the highly remunerated "Managers", suffer the repercussions themselves will things start to improve.
And should such events occur in the future, and Insurance pays out, then recover the excess and increased premiums from those actually responsible.
Biting the hand that feeds IT © 1998–2020