Don't make us pay compensation for employee data breach, Morrisons begs UK court Lawyers for supermarket chain Morrisons today urged the UK Court of Appeal to overturn an earlier judgment that made the company partly liable for a criminal data breach that saw 100,000 people’s payroll details published via Tor. Four years ago a disgruntled Morrisons employee, Andrew Skelton, who had legitimate access to the …
I would tend to agree. Morrison's shouldn't be allowing employees to walk out with sensitive and personal information they shouldn't take with them.
Everyone appreciates it's not always possible to stop ne'er do wells doing what they shouldn't, and full-cavity body searches at pub o'clock are likely inappropriate, but the original hearing determined that Morrison's clearly had not done enough to prevent the theft of confidential data.
But Morrison's do have a point: if Parliamentary legislation excludes them from being held vicariously liable then they should be off the hook for that.
"Everyone appreciates it's not always possible to stop ne'er do wells doing what they shouldn't, and full-cavity body searches at pub o'clock are likely inappropriate, but the original hearing determined that Morrison's clearly had not done enough to prevent the theft of confidential data."
If the standard to which companies will be held is 'was it physically possible to stop this from happening by some means?' then all employees will have to be subject to the cavity searches, because small cameras exist.
If you read the judgement from the original trial, you will see that that Morrisons was found not to have breached the Data Protection Act and indeed was not found to have been at fault at all. Without wishing to go into the detail of the law on vicarious liability, Morrisons was held to be vicariously liable for the criminal actions of its employee but that does not imply any fault and the judge was quite clear that Morrisons did not act unlawfully.
Imagine that an employee takes a photograph of a sensitive document to which he or she had authorised access, how is an employer supposed to detect that?
Imagine that an employee takes a photograph of a sensitive document to which he or she had authorised access, how is an employer supposed to detect that?
Why does the employee need a personal device in the workspace? Go chat to anyone that's worked at a hedgie or on a trading floor and you'll pretty quickly see that lots of places dealing with sensitive info don't permit personal phones.
If Morrisons chooses to run that risk then they should rightly be considered to have chosen to be liable.
Security is always a balance, but then, so are operational costs. Fines when an employee goes rogue are part of the cost of doing business. It's not like their customers or most staff get any say in the hiring process.
>Why does the employee need a personal device in the workspace?
Remember BYOD?
Also I presume you have (successfully) lobbied your employer to ban employees having personal devices in the workplace and thus you yourself don't carry a personal mobile phone....
Also I presume you have (successfully) lobbied your employer to ban employees having personal devices in the workplace and thus you yourself don't carry a personal mobile phone....
You presume wrong. I haven't lobbied for anything. The company has its own rules that long pre-date my working here, so yes, my personal mobile goes into a locker before I go onto the trading floor. Everyones does. It's really no kind of problem at all.
>so yes, my personal mobile goes into a locker before I go onto the trading floor.
Right now understand where you are coming from...
When I started work (pre-mobile phones) making private phone calls whilst at work was a hassle, I'm not sure if we can easily get back to this state of affairs or whether it is desirable.
As an external consultant, since the mid 1990's I have nearly always turned up at client sites with my personal phone and laptop (ie. my tools which are owned by my business) - only leaving them in the bag/car/at home when the client provides 'tools' and specifies non-use of third-party equipment on their premises.
However, for the probably the vast majority of enterprises it is now a well established practise for people to carry around their own personal mobile phone/tablet, which may or may not be connected to the corporate IT (whether on the guest network or in many cases directly on the corporate network!!).
> ... who had legitimate access to the company’s entire payroll, published its contents online using anonymising network Tor.
While that part is undeniable, the employer should have protections in place to prevent a (legitimate) user from either taking a copy of the data to remove from the workplace, or from being able to upload it to an off-site location.
If that means that users' PCs don't have any ability to plug USB drives (or anything else) in, that would be a definite step forward. It would also stop people loading dodgy stuff onto a PC or server.
It it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too.
One could possibly go further and question the need for any office computer to have general-purpose internet access, at all.
Having those restrictions in place would also go a hell of a long way to stopping the reverse: bad people gaining access to sensitive data from outside the building.
"It it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too."
That would indeed be the only way to stop this kind of thing from happening.
It would be helpful if they included these requirements in EU laws or guidelines. I don't think a lot of companies are doing this currently and it is therefore extremely easy for rogue employees to leak data (Either by email, http upload, ftp or USB). Also, employee privacy laws make it very difficult to detect these kind of things.
"It [sic] it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too."
These are payroll computers. So they communicate with HMRC. What you are saying is that, every day, the updated HMRC stop orders, new tax codes, etc., should be verbally read off the office computer with Internet access, then dictated onto the computer that deals with payroll. (Because you also want no USB access for this computer as well.) And back again: updated PAYE details at the end of each month have to be dictated onto the Internet-enabled computer.
That won't lead to any errors ever. And still won't stop people with cameras.
Finance offices deal with invoices from companies, pay credit card bills for company cards, and many other things. All of which need the Internet.
> All of which need the Internet.
But it doesn't need a public internet connection.
It just needs the specific ports to the specific address / URL. And the same applies to bank access. There is no reason for a finance computer to ever need access to Google, BBC, ToR, Facebook or anything apart from a few dedicated, preferably hard-wired, connections. Ones that would be audited and under change control.
>There is no reason for a finance computer to ever need access to ... anything apart from a few dedicated, preferably hard-wired, connections.
There speaks someone who has never worked in or observed an accounts/financials department...
You are also assuming the guy was accessing the (compromised) database from a finance department designated PC...
Computer security is easy, for anyone who has never had any sort of involvement in it.
For anyone who actually knows about it, they know it is Hard. Reading a few of Bruce Schneier's blogs, or some of his books will give you a sense of just how hard it is.
Often companies whose main business is computer security get it wrong. Morrisons is a supermarket.
It just needs the specific ports to the specific address / URL. And the same applies to bank access. There is no reason for a finance computer to ever need access to Google, BBC, ToR, Facebook or anything apart from a few dedicated, preferably hard-wired, connections. Ones that would be audited and under change control.
A nice thought, in principle. However with SSL, load balancers, CDNs and anti-DOS protection services it just doesn't, and can't work in practice.
The thing is it is almost impossible to stop someone who wants to getting data off a system. I am sure you could write say a PowerShell script to display a series of QR codes or even just a blinking square of the screen from a file that I can capture via video on my mobile phone with an app that turned them back into the original file and then walk out the building. How do you propose stopping me do that? Perhaps I can get the PowerShell script in through the simple expediency of emailing a PDF of the source to myself.
A 200GB microSD card is £55 on Amazon with a 400GB one only £130. If you willing to pay through the nose you can get a 512GB one too though it will set you back £290.
Would Morrisons be vicarious liable if an employee walked into a store and gunned people down?
"Would Morrisons be vicarious liable if an employee walked into a store and gunned people down?"
Yes they would, and there was actually a case along those lines in 2016, except that the employee attacked the customer with his fists rather than a gun.
This is correct and an example of where the law on vicarious liability needs to be reviewed. If an employee goes rogue, despite all the best efforts of his or her employer, the employer should not automatically be vicariously liable for the employee's actions.
It seems that someone eradicated use of that abbreviation - I certainly can't find it.
Personally, as a native Brit of rather more years than I care to mention, it's not an abbreviation I'd have used for any of the suggested words. I'd have said "dosh" instead of "compensation", "mix" for "composition" and "muck" for "compost".
Andrew Skelton was not a director, neither was he part of a team doing something 'furthering corporate aims' that resulted in the data loss or, as is often the case, not doing things that they clearly should have done to prevent the data loss. In order to operate a company does need to trust some individuals, it is not possible to lock everything down so that someone internal trying to nick data can be prevented 100% of the time.
Andrew Skelton should have the book thrown at him, he pay the fine, if it means that he looses his house then so be it - it might act as a deterrent for others.
This should, however, not be used as an excuse to allow all corporations off the hook by blaming everything on rogue employees.
it is not possible to lock everything down so that someone internal trying to nick data can be prevented 100% of the time
IME most companies do very little in terms of real data security. Yes, everybody has to jump through hoops and train in respect of DPA and GDPR, but leakage still it goes on. Despite the ready availability of suitable technology, most companies don't use any proper access control and monitoring of sensitive files and databases. Emailing large files in and out is too easy (but should rarely be necessary if the company provides the right tools, although few do), simple approaches like disabling demountable storage are overlooked, etc etc. Yes, if security had been better and he'd been clever enough he might have found a way - but that doesn't appear to be the case. And even then, Morrisons were the custodians, they were the ones who lost it. If I put £500 in the bank, I expect them to keep it safe, rather than say "it wasn't us, it was that rotten armed robber". As an auditor, this twit should have had access on demand for almost anything, but that doesn't mean that he should have uncontrolled, unmonitored access, nor the ability to ex-filtrate data.
Morrisons are fools for pursuing this case, because it refreshes public memory that they were incompetent (in my view, as per above), and it shows them in denial. Having being ordered by a court to pay, they should then have arranged a suitable non-disclosure settlement to keep it from bobbing up in the press. Instead the twerps try and appeal. I hope they lose. And I'll bear this in mind for future discretionary purchases so that no matter how small, their poor response has a commercial impact.
>Morrisons are fools for pursuing this case
Err no. You do realise that if Morrisons lose, JMW will have opened the door wide for all the other ambulance chasers...
Remember this case isn't about the data breach as such but "compensation for the distress caused". Given Morrisons was awarded £170,000 in compensation, it would seem that a cup of coffee from the Morrisons in-store cafe for every employee is about the right level of compensation...
Having being ordered by a court to pay, they should then have arranged a suitable non-disclosure settlement to keep it from bobbing up in the press.
Once you have been ordered by the court to pay, you no longer have the option of setting your own conditions (i.e. requiring a NDA). You can only do that before a court judgement is made and then having the case dismissed (or never lodging it in the first place) before said judgement is reached.
I'm guessing my opinion is going to be unpopular but here it is.
If as part of his role he should have had access to payroll data and he agreed to sign off on confidentiality then Morrisons are not to blame.
If Morrisons are found to be at blame then that will require a huge shift in IT policy, access and permissions across many organisations.
I'm on the side of Morrisons on this one. The perpetrator has already been jailed.
"If as part of his role he should have had access to payroll data and he agreed to sign off on confidentiality then Morrisons are not to blame."
They should be. This wasn't a nation state grade, zero day, fully stealthed APT, it was some knob end employee with a grudge. He simply shouldn't have bulk access to download virtually the entire payroll data. Even in his job, where's the real day to day requirement to take a local copy of that sort of data? I've worked close to these systems, and even had work machines contaminated with unnecessary personal data - but as I wasn't dodgy nothing bad happened. But it shouldn't have been possible.
So I think you're wrong. Blaming rogue third parties for your company's data loss is merely lazy, third rate defensiveness.
>I've worked close to these systems, and even had work machines contaminated with unnecessary personal data - but as I wasn't dodgy nothing bad happened. But it shouldn't have been possible.
It is surprising how many IT people throw their toys out of the pram when you limit their access to systems, many seem to think that it is okay that they can access ALL systems and ALL data because "they ain't doing anything dodgy".
In the new world, I wonder how many IT people realise that having such access now puts them at the top of any list of suspects when an unauthorised data disclosure happens...
.... how did the criminal remove the data?
Skelton was a senior auditor, according to the BBC article at the time of his sentencing, which would suggest to the outsider that the person has responsibilities beyond that of a standard office bod.
If he was just able to post it to Dropbox then yes there might be a case, but if the company took reasonable steps then you won't stop someone who has a determined grudge.
This is incorrect.
If Morrisons had been at fault it would have been found to have been in breach of article 7 of the DPA which it was not. In addition, the judge gave Morrisons right of appeal without an application whereas the plaintiffs were denied the right of appeal on the finding that Morrisons was not at fault.
If Morrisons had been at fault, it would have been liable as opposed to vicariously liable. This might seem like a narrow legal distinction but it isn't.
>If he was just able to post it to Dropbox then yes there might be a case,
You only need a web browser with public internet access to achieve a file upload, so the question is whether it is reasonable to have a web browser installed on a company PC...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
