Are your fraud detection systems leaving you vulnerable?
Back in 2014, Morrisons had a security incident with a disgruntled member of staff.
Within this breach, Andrew Skelton, a senior internal auditor at the supermarket’s Bradford office, leaked the payroll data of 99,998 employees. This leaked information included names, addresses, gender, dates of birth, phone numbers, National Insurance numbers, bank details and salaries of these employees.
Despite the leak happening due to a single, malicious, criminal and vindictive employee, the High Court and Court of Appeal found Morrisons, albeit an innocent corporate victim, vicariously liable for the actions of their employee.
The Supreme Court have just granted Morrisons permission to appeal the ruling.
Morrisons defenses were appropriate
What’s most shocking about this case is that Morrisons defenses were found satisfactory and appropriate.
Morrisons argued that it wasn’t responsible for Skelton’s actions as he was acting without their knowledge or permission and therefore unlawfully, and that they had taken all the necessary precautions to secure employees’ data. Nevertheless, Morrisons were still deemed ultimately responsible for the for the actions of Skelton as he was engaged by them.
Liability is extremely complex
This incident shows just how complex liability can be regarding data breaches. It shows that controllers are vicariously liable for the actions of their staff, even if their staff have acted maliciously.
Nick McAleenan, a partner at JMW Solicitors, which is representing the claimants in the ongoing case adds: “This was a very serious data breach which affected [thousands of] Morrisons’ employees – they were obliged to hand over sensitive personal and financial information and had every right to expect it to remain confidential. Instead, they were caused upset and distress by the copying and uploading of the information.”
What can we learn from this?
To fully protect yourself from data breaches, it’s not enough to simply have secure systems in place.
You need to have enough systems in place to detect fraud, but not so many that you may breach the Human Rights Act and actually invade privacy. It is a fine line that you must walk and it really will benefit you to talk to specialists such as ourselves here at The Griffin House Consultancy.
For any advice on your data handling, systems or vulnerabilities, talk to us today on 01673 885 533 and we’ll be happy to help.