back to article At the Supreme Court, Morrisons pops data breach liability win into its trolley – but it's not a get-out-of-compo free card for businesses

Morrisons supermarket is not liable for the actions of a disgruntled employee who deliberately leaked nearly 100,000 employees' payroll data online, Britain's Supreme Court has ruled. Grudge-bearing auditor The case was brought over the actions of Andrew Skelton, a Morrisons auditor, who in 2014 was supposed to be transferring …

  1. katrinab Silver badge
    Meh

    One thing I'm confused about

    If he was an auditor, then wouldn't he be working for KPMG rather than Morrisons?

    Or if he was transferring the data from Morrisons to KPMG in order for it to be audited, then wouldn't he be someone in the Morrisons payroll department?

    1. MiguelC Silver badge

      Re: One thing I'm confused about

      Internal auditor?

      1. Anonymous Coward
        Anonymous Coward

        Re: One thing I'm confused about

        Yes, Internal Auditor, described previously as a Senior Auditor.

        One would think he would have a major role in ensuring that the IT systems and processes, were 1) as efficient as possible and 2) fully complied with all current legislation. It surely fell within his role to ensure such data theft couldn't happen at all, never mind happen so easily..

        How big was Morrisons audit department? He must have had several colleagues, and who did he report to? Supervised by?

        Back in the early to mid eighties, a West Yorkshire based supermarket with total staffing of around 6500 personnel had an internal audit department of 3. Turnover circa £300m-£350m around that time.

        Not sure what it is now, but a few years back they posted a £943million annual profit one year.

  2. alain williams Silver badge

    Error or malicious act

    Organisations need people to do things. Some of these things can be delicate. The best that an organisation can do is to train people so that they know what they must & must not do and to make it technically hard for them to do the wrong thing.

    But there are limits on what can be done to stop an insider, who needs access to sensitive data to do his job, from abusing the trust that they have been given.

    This is cold comfort to those who's data was spaffed around the place, but they are victims of Sketon not Morrisons. It is right that Skelton is now eating porridge.

    1. Aristotles slow and dimwitted horse Silver badge

      Re: Error or malicious act

      I agree to a point. But those "limits" can very much be reduced to small percentages. Stating that Morrisons did "everything" they could to prevent data loss is not entirely consistent with allowing him to manually transfer the entire HR data extract onto a USB stick for delivery to KPMG.

      Assume Morrisons IT and OpSec teams haven't heard about secure encrypted file transfer or DLP solutions yet?

    2. big_D Silver badge

      Re: Error or malicious act

      Exactly, I feel sorry for the employees, but I have to agree with the Court in this case. They did everything they reasonably could - the data was put on an encrypted USB stick for the transfer to KPMG, it wasn't spaffed over an unencrypted FTP link or per email, they took "all reasonable precaution", with the possible exception of not realising Skelton held a grudge.

      That he held a grudge for his own stupidity and decided to take revenge by publishing the information entrusted to him in no way falls under what his expected duties were. If he had lost the stick when taking it to KPMG and it wasn't encrypted, that would be part of his expected duties, but extra-curricular activities outside of his job role (he was not expected, as part of his role to publish the information anywhere online) cannot reasonably be covered by Morrison's liability.

  3. Anonymous Coward
    Anonymous Coward

    "...having done everything it reasonably could have to protect that data."

    How about not letting a single person have the capability to access 100,000 peoples personal information? Implement a two-person rule when dealing with masses of data? That sure seems reasonable to me, and is in fact the rule where I used to work at HMRC. Access was via an airgapped network, two people in the room at all times, one watching and one typing the necessary commands.

    1. just another employee

      Auditor

      ..but he was an Auditor.

      Maybe he needed access for his job... like... you know... to Audit how staff data was being managed.?

      1. Anonymous Coward
        Anonymous Coward

        Re: Auditor

        "I need access to the live database to run an extract for the auditor"

        "Sure, send me the script you intend to run for review, I'll create the ticket, attach it and forward it for business approval, then forward it to the DBA to action."

        Oh no, that's such a hard process! So unreasonable to expect a company with a mere 100,000 employees to exhibit a basic level of professionalism.

    2. Anonymous Coward
      Anonymous Coward

      "So what the hell do they keep behind that big metal door that needs securing with X-Ray screens, retina scanners and a pair of armed guards with sniffer dogs?

      "Oh, that's just HR..."

  4. Colonel Mad

    At Last

    The Supreme Court doing law, not politics, makes a change!

    1. Anonymous Coward
      Anonymous Coward

      Re: At Last

      Can't believe they got it righ for once

      1. Anonymous Coward
        Anonymous Coward

        Re: At Last

        > also decreeing that previous findings by the High Court and Court of Appeal were mistaken in law.

        Third time's the charm. Why does the legal system find it so hard to get it right first time? In any other line of work you'd be sued for such incompetence.

    2. Danny 14 Silver badge

      Re: At Last

      The supreme court often gets things right because they are proper judges.

    3. Intractable Potsherd Silver badge

      Re: At Last

      The Supreme Court has never done politics. Anyone with the vaguest knowledge of constitutional law knows that the review of the Brexit actions, or Johnson's prorogation of Parliament (for they are what you refer to, I suspect) have a long history of being in the Courts' purview, and quite correctly so.

  5. Jimmy2Cows Silver badge

    Exaggerate much?

    My clients entrusted their personal information to their employer, Morrisons, in good faith. When their information was subsequently uploaded to the internet by a fellow employee, it caused an enormous amount of upset and distress to tens of thousands of people.

    Sure it's not a nice thing to happen, but I suspect most of the victims didn't suffer enormously. Mostly this lawyer's clients saw an opportunity for some compo, or the lawyers did and then went ambulance-chasing, and cranked up the feigned concern

    Chances are many of them are frequently splashing vast amounts of private info all over the internet, without being remotely bothered about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Exaggerate much?

      I wouldn't be surprised if behind the scenes, Morrisons and other large organisations were encouraging this suit just so they could get an answer to the question "are we responsible for a rogue employee in these circumstances". It certainly wouldn't be the first time that had happened

  6. Jimmy2Cows Silver badge

    Legal avenues

    The Supreme Court's decision now places my clients, the backbone of Morrisons' business, in the position of having no legal avenue remaining to challenge what happened to them.

    Yep, because the SC has decided they sueing the wrong entity.

    They are still free to sue the areshole who actually did the leaking, and would probably win given he's already banged up for it. Phyrric victory though. Somehow doubt he has the funds to settle ~100k of claims.

    I blame the lawyers, chasing the deeper pockets and trying to convince the victims Morrison's would be liable for the grossly rogue actions of an employee. Hope this was no-win no-fee.

  7. Christoph

    If it had gone the other way it would be wide open for companies to plant agents in rival companies to deliberately leak data and have the rival sued. The agent of course taking more care to not get caught themselves.

  8. Bernard Peek

    Negligence

    Enabling an employee to copy unencrypted sensitive data to a USB stick. Sounds like negligence to me.

    1. Anonymous Coward
      Anonymous Coward

      Re: Negligence

      It was part of his job. He only had access to the data for the purpose of copying it to an encrypted USB key to send to KPMG. He used that opportunity to make a copy. Even if they'd had a DLP or other monitoring solution, it wouldn't have detected anything unusual because it was part of his job. In 2014, mailing an encrypted USB for a large sensitive data transfer was one of the best solutions for most large organisations. Yes there's more they could have done as there always is but they were completely within the guidelines of the DPA and took reasonable actions to protect the data.

      1. EnviableOne Silver badge

        Re: Negligence

        They were negligent in allowing just him to do it, and not getting a second person to confirm that only one copy was made and that the extract was securly deleted.

        They were the data controller (the employees entrusted their data to them) they lost control of the data and breached Data protection regulations. this would be true even if the information had not been posted online.

        they also failed in their duty to Exercise reasonable care, skill and diligence, as this is not the way to transfer data to one of the major accounting firms.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021