Morrisons supermarket: We're taking payroll leak liability fight to UK Supreme Court Morrisons has vowed to take its hack liability fight to the UK Supreme Court after failing to convince Court of Appeal judges it should not be held responsible for the actions of a rogue employee who leaked the supermarket's entire payroll via Tor. The under-fire chain is battling a class action lawsuit brought by 5,000 of its …
1) Did the company set reasonable policy, and properly inform employees thereof?
2) Did the company provide reasonable controls to enforce said policy?
3) Was there a breakdown in the enforcement of those controls?
4) Or, did the perpetrator intentionally and successfully evade and circumvent those controls?
Yeah, it'll be interesting to see how this plays out.
The devil is in the detail. If a financial auditor asks for a dump of the payroll data to ascertain there are no inappropriate payments, the auditor will always be given access as it's within the remit of their job. If it's an IT auditor however they should not be given it because it's not their job. However if they say they are auditing the controls that protect the data they do get access to examine the controls. If in the process of examining the controls the IT auditor discovers an issue that allows them to take a copy of the data it's hard to assign employer liability as the employer is running a control process with the aim on ensuring that the data is adequately protected.
The real difficulty comes when the system and finance people supporting the auditors don't have the experience to know what a financial auditor must be permitted to do compared with what an IT auditor must be permitted to do. Some auditors do their best to bypass the management chain and go straight to the lower level workers that have been pulled in to assist with prior queries. To make matter worse sometimes an IT auditor gathers data for a financial auditor.
In short it's difficult to provide a control framework that is proof against the very framework they are auditing to be sufficient
But I don't quite get it...
The company must be responsible to some extent for the actions of an employee even if they go rogue and do something dumb.
I would suggest this may mitigate to some extent damages awarded against them as controls will never be able to eliminate this risk.
Trying to argue that a corporation has no responsibility for employee actions rogue or otherwise would create all sorts of bizarre anomalies. This would surely mean that the guys fixing LIBOR were nothing to do with their employer either.
Effectively corporates would gain almost total immunity to the law if taken to its furthest (and possibly ridiculous) extent. Every issue would simply require a scapegoat found.
The corporation is responsible for the corporate culture and environment in which things happen. I would hope that would be considered relevant to the level of corporate blame and/or responsibility when bad things happen.
That's why employees have to go through all that tedious box-ticking training, on subjects ranging from Elfin Safety to Diversity Awareness. So when Dodgy Joe gets accused - rightly or wrongly - of harassing Dodgy Jo, the company has at least not been negligent in failing to educate him.
Bottom line that I expect Morrisons are trying to argue is that this was so far from acceptable within their corporate culture as to be totally distanced from them. That would be very different to an "everyone does it" culture that seems to have affected banking.
Once upon a time, long before the InterwebzOfTwattery became a saleable (if laughable) concept, there was this thing called "two factor authentication".
It's even been written about on this fine organ here from time to time.
In oversimplified terms here (and in some other well documented cases), you might see a setup where one player has access to the bits in the file, but not to the 'meaning' of those bits, and a different player has access to the meaning (but doesn't have access to the bits).
It therefore takes two untrusted players before it becomes easy for information to leak.
One of the two players in this picture was a Big Four auditor [1] but y'know, set that aside for now.
What difference might such a concept have made in this case?
[1] KPMG's audit work unacceptable, says watchdog
https://www.bbc.co.uk/news/business-44526486 (and elsewhere, 18 June 2018)
The auditing work of one of the world's "Big Four" accounting firms has been sharply criticised by the industry's watchdog. KPMG audits had shown an "unacceptable deterioration" and will be subject to closer supervision, the Financial Reporting Council said. The FRC added all the Big Four - which also include PwC, EY and Deloitte - needed to reverse a decline.
[...]
KPMG came in for criticism over its audit of collapsed construction firm Carillion earlier this year, and the FRC has opened an investigation into the group under the Audit Enforcement Procedure.
The auditor was also recently fined £3.2m by the watchdog over its audit of insurance firm Quindell. Last year, the FRC opened an investigation into KPMG's audit of the accounts of aero-engine maker Rolls-Royce.
[...]
"No employee should be able to fully export their payroll data and take it out of the building."
Did you even read the article to the end? It was his job specifically to export that data!
"Skelton, the data thief, was an IT auditor for Morrisons."... "After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick."
So not only was he the one tasked with making the copy, the export had been made to an encrypted device which to my mind suggests Morrison's procedures had taken care to protect the data in transit, but he while knowing the details to access that secure drive made the copy from there and not from their systems directly (so avoiding any audit logging they might have in place for tracking mass exports).
It wasn't his job to export the data for himself to take away. It's up to Morrisons to have sufficient controls in place to prevent that.
Morrisons then has to employ (or contract) someone to devise and implement such controls.
As I said, though, this is non-trivial and there is an implicit trust placed in IT personnel. The implication is generally that a skilled admin will never be able to work in that field again if he wilfully and maliciously abuses that trust, so the risk is considered small.
It would be ageist to refuse to hire a skilled admin close to retirement. Sexist to refuse one who might leave the workplace to become a full-time mother. And clairvoyant to know your sysadmin has an entirely new career lined up.
"a skilled admin close to retirement"
Retirement? That's that thing that boomers do where they just stop working, right?
Don't worry, no one under forty will be able to afford that, even if we do live until eighty or whatever the retirement age is by then.
"After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick."
So it is clear that at the moment Skelton made a private copy he was acting in a personal capacity and not in the course of his employment. So if ACAS have it right, Mr Justice Langstaff's December 2017 ruling is based on flawed understanding and thus is unsafe. Reading through the original judgement I think para 183 makes clear that Langstaff has confused Skelton's personal preparations to disclose information with the course of his employment and starts to write his own narrative based on faulty logic and goes on to reframe evidence to 'support' his faulty understanding.
Unlike the LIBOR stuff, the employee here was acting against the interests of the company, so there's no question that Morrisons encouraged this by any means.
I honestly can't see how they're liable, since I can't honestly see how they could have prevented this. The guy wasn't acting out of ignorance - he damn well knew what he was doing was wrong.
So if I deliver pizzas for your pizza company, and I run over someone, you expect to be charged for murder?
This case isn't about criminal charges, it is about civil liability - fines/monetary compensation.
And in that case, absolutely would the pizza company have to pay some level of compensation to the victim and or victim's family. If for no other reason than they hired someone and placed them in a role (drving a death machine) they were not suited for.
"Encrypt it with a password/secret that he didn't know."
Okay, let's suppose a prescient designer set up the system so that when an encrypted archive is exported, the password is handed to a nominated second user, and that the two users don't collude while transferring it to the external auditor, then we still have a person (the external auditor) who has access to the data on unaudited media and has the password.
Unlike the LIBOR stuff, the employee here was acting against the interests of the company, so there's no question that Morrisons encouraged this by any means.I honestly can't see how they're liable, since I can't honestly see how they could have prevented this. The guy wasn't acting out of ignorance - he damn well knew what he was doing was wrong.
So, what about this example.
An on duty COP on foot patrol sees someone he doesn't like walking along minding his own business, pulls his service firearm and shoots dead that person.
Are you saying that the Police Force (or it's government overseers) couldn't be held accountable, couldn't be sued, for the unconscionable, totally against any and all police training and procedure and unforseeable, actions taken by the COP?
Or, while on-duty, a COP uses police databases to find the home address of someone who's address may not otherwise be easily publicly available, say of a Judge or other official who's information is usually kept restricted, also stealing a firearm from the evidence locker. Then, later after they've gone off duty, they take that firearm they stole from evidence around to that persons home address and shoots them dead.
Are you saying the Police Force would have no liability because it was against training and policy, and it was criminal/civil acts (violated data access policies, stole from the evidence locker)?
The common situation is as follows:
1) Person obtains information and/or items through their employment, that they otherwise would not have access to.
2) Person uses said information and/or items in a criminal act and/or civil tort while still also employed by that employer.
Employer bears some element of responsibility under normal common law tort which would then by decided in a court (or optionally out-of-court settlement if civil), maybe only 5% responsibility, say slap-on-wrist $1000 fine, maybe significant responsibility, say 35%, so significant penalty, $25k fine, maybe majorly responsible, 60%, $100k fine and potential criminal liability also gets investigated.
And that is under everyday common law tort. But here we have specific legislation to also consider that covers liability.
If your payroll data is internal then your backup admin can probably get at it. Most companies don't have a specific backup admin though, so it'll be any/all of your sysadmins, plus their manager who's insisted on having domain admin credentials despite not having done any support work since NT 4.0.
Even if you work in the one company in a hundred that's prevented their sysadmins from having access to all systems, at some point someone in accounts is going to have to pay people, and that means access to the payroll data.
If your payroll data is internal then your... admin can probably get at it.
That depends on the setup.
While not trivial, it is possible to make a system which will not allow the admins access to full plaintext data. Data security concepts require restricting the data to only those who need access.
As I said, though, this is non-trivial and there is an implicit trust placed in IT personnel. The implication is generally that a skilled admin will never be able to work in that field again if he wilfully and maliciously abuses that trust, so the risk is considered small.
In this case, the only way I can see that this could have been prevented would have been to make the export encrypted using a key known only to the auditor: Maybe using asymmetric encryption, or just a passphrase entered directly by the auditor. However, you still have to trust that the auditor won't leak the data...
I agree with the above comments: As long as Morrison's data protection policies, procedures and systems are good, the fact that the employee criminally stole the data should at least reduce their culpability in this matter. Reading between the lines, there is no suggestion that their procedures and systems were not up to scratch. The vast majority of the blame should lie with the thief, and Morrison's should learn from this incident and improve procedures to make it more difficult in the future.
Trying to argue that a corporation has no responsibility for employee actions rogue or otherwise would create all sorts of bizarre anomalies.
Of course it would, one of which would be the "Libertarian Utopia" all 1-percenter corporatists cream their Brooks Bros. slacks over.
"So when a Morrisons employee crashes their car"
Who's "their" in this context? If it's Morrisons' car then very likely their responsbility: either he's on Morrisons' business or he's taken it without their permission and Morrisons failed to have sufficient controls in place. If it was his own can and he was driving for his own purposes then it was nothing to do with Morrisons. However when an employee is using Morrisons' own computing facilities then they have to have some responsibility for what's done with them.
I've got to go out now. I need to get some bread at Morrisons.
Not entirely. It depends on what those employees do and what steps an employer has taken to prevent that and ensure it does not happen.
There are things which an employer has little control over and they are unlikely to be held culpable when that happens. But, in this case, the courts have determined Morrisons did not do enough and that's what leads to them being held culpable.
Whether an employee should be held culpable should an employee go postal and shoot-up the office is often presented as obviously being beyond an employer's control. But the fact is it comes down to how likely that is to happen and what an employer had done to prevent or mitigate such a thing. If they effectively allowed it to happen when they could have prevented or mitigated it but failed to they will be held culpable to some degree.
Morrisons are responsible for the actions of their employees
If you follow that logic to its conclusion it expalins MGM suing the victims of the mass shooting in Las Vegas.
In practice, I would hope responsibility would depend on the extent to which Morrisons were negligent in exercising reasonable controls to prevent such incidents happening. And in that respect, I'm far more concerned that KPMG felt entitled to an entire copy of the company's payroll, without any form of obfuscation, and that their request went apparently unchallenged.
"MGM suing the victims of the mass shooting in Las Vegas."
MGM is not suing for money, but the company wants a federal court to rule that it cannot be held liable for the shooting by more than 1,000 victims and others it named in the suits. The company said it named only people that have already sued or given notice that they intend to do so.
It is based on a federal law passed after the Sept. 11 terror attacks, which is known as the Support Antiterrorism by Fostering Effective Technologies, or Safety, Act.
The law is intended to shield federally certified manufacturers of security equipment and providers of security services from liability should they fail to prevent a terrorist attack, which the law defines as an unlawful act that causes mass destruction to citizens or institutions of the United States.
MGM contends that under the law, which Congress passed in 2002, it is immunized from liability because it met two conditions: A security company that was hired for the concert had a certification from the Department of Homeland Security, and the shooting qualified, in the company’s view, as an “act of terrorism.”
I'm far more concerned that KPMG felt entitled to an entire copy of the company's payroll, without any form of obfuscation, and that their request went apparently unchallenged.
Ditto. Did they need the payroll in it's entirety? I doubt it, but it is easier to ask for that than it is to ask for only certain parts, with obfuscated/anonymised fields, and request specific additional data later if needed.
Is that the request from KPMG for a copy of the entire payroll database wasn't managed at Board level, specifically by the Financial Director ( CFO equivalent) and should have been performed by someone in the Finance and Accounting department, much more senior than Skelton*. Purely for organisational reasons alone. If at all, why on earth KPMG were not made to do their work on the database whilst under complete scrutiny and security at all times baffles me.
*Yesterday's BBC article on this matter described Skelton as a Senior *Internal* Auditor, a different role, and not merely an IT auditor though these days IT functions would make up a large proportion of his work.
You would be surprised (or perhaps not) to know just how often a request for data that is otherwise strictly locked down is waved through because "the auditors have asked for it". But the auditors cannot be granted access to the data directly, because of the controls that the auditors insist on being in place.
So a new rule is created that allows an employee to be given the access they need to provide the auditors with the data they want (I hesitate to use the word "need" here). And as soon as you have that then you have created a bond of trust with any employee given that access. Trust is more easily broken than any control can be circumvented, especially if you have a toxic relationship with the trusted party.
The fact that any disciplinary process existed at all in respect of the person involved in this case could be seen as a significant indicator of a breakdown of trust - on one, other or both sides. I imagine the courts might be considering that factor not being adequately weighted in the lack of any additional oversight or supervision being applied, until such time as that trust had been re-established with a degree of confidence.
Would the Company be responsible if the same employee had gone postal?
Doubt it but I don't know. But they are liable for criminal misconduct of employees within the scope of their employment, that is a well established principle of English law.
That appears to be the case here, and Morrisons are still trying to weasel out of their responsibility, despite having lost two rounds in court. I hope they'll lose again, bastards. It is worth translating the argument from data to money, to see how the principle of their argument works. Imagine I put my savings with Morrisons Supermarket Bank plc. There's a theft by an employee. Morrisons argument would be "Sorry, you can't have your savings back. They were stolen through an inside job, by one of our employees, but because he broke the law it's not our fault, so you'll have to sue him".
If a company provides a mechanism by which an employee can transfer client's savings to their own account without anyone needing to approve the transfer, no audit picking it up, etc. then I would suggest they should be liable. In this case the employee was doing the transfer to an outside party as part of their job and *copied* the data in the process. Can't really do that with money...
If the data which was being provided to the outside party had gone AWOL then the company should be liable. I don't know enough about this specific case to say for sure if Morrisons should be liable for the data breach, but as a principle of law it seems odd that a company should be considered responsible for the actions of its staff when they are NOT doing what the company has instructed them to do.
If a company has rules in place to prevent data breaches (and suitable technology too) and someone specifically does something against those rules it has to come down to what measures were in place to stop it being possible or to detect it had occurred before the data could get out of the building.
Not that relevant - a bank can pay back the stolen money, and has a clear responsibility to do so, negligent or not. In this case, we talking about a punitive fine that, IMHO, should only be issued if the company can be shown to have done something wrong (which doesn't seem to have been the case).
“render the court an accessory in furthering Mr Skelton’s criminal aims”
Nice try. Admirable, even.
But it conflates two issues. One is his criminal aims for which, according to TFA he's been tried and convicted. The other is in Morrisons' conducting their business in a manner which allowed him or anyone else to do this whatever the aims.
He was an auditor. He needed access to the full payroll data to do his job. How were Morrisons supposed to be able to mitigate against what he did? Strip searches of staff at the end of each working day to look for hidden USB drives?
The law needs to be able to hold companies to account where they've contributed to criminal activity, but there has to be some balance, otherwise the courts are just punishing the (corporate) victims. In the meantime the cost of business risk insurance will get pushed up to cover this factor, and everyone ends up shouldering the costs through higher prices.
“And what if using USB drives are an active and valid part of business operations?”
Then there will be clear policies and training in place about what is acceptable and what is not acceptable, and appropriate level of controls.
For example at a site I previously worked at there is a valid business process that requires a weekly transfer of sensitive data.
There is a four eyes policy on the extraction and loading of the data - two people must undertake the task.
The USB ports are software locked - a break glass account is used to complete the task and that account has the role based access to use the USB port. There is an approval process to obtain the break glass credentials and their use is time bound.
The USB stick is encrypted to a high standard,
The USB stick is transported by a third party security provider using tamper evident pouches.
This does not prevent theft of the data, it just makes it extremely difficult without collusion between several people.
Did Morrison’s just let the guy gave access to open USB ports with no auditing of the data, and no policy about removing USB sticks from site? Very possibly, and therefore it did not take reasonable precautions to prevent loss.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
