While the employee had legitimate access, were Morrison’s controls on its staff sufficient to make the breach difficult or detectable? Clearly not as ithe breach was only discovered when it was published on Tor. So Morrison’s must bear some liability.
Don't make us pay compensation for employee data breach, Morrisons begs UK court
Lawyers for supermarket chain Morrisons today urged the UK Court of Appeal to overturn an earlier judgment that made the company partly liable for a criminal data breach that saw 100,000 people’s payroll details published via Tor. Four years ago a disgruntled Morrisons employee, Andrew Skelton, who had legitimate access to the …
COMMENTS
-
-
Tuesday 9th October 2018 14:47 GMT Jason Bloomberg
I would tend to agree. Morrison's shouldn't be allowing employees to walk out with sensitive and personal information they shouldn't take with them.
Everyone appreciates it's not always possible to stop ne'er do wells doing what they shouldn't, and full-cavity body searches at pub o'clock are likely inappropriate, but the original hearing determined that Morrison's clearly had not done enough to prevent the theft of confidential data.
But Morrison's do have a point: if Parliamentary legislation excludes them from being held vicariously liable then they should be off the hook for that.
-
Tuesday 9th October 2018 16:03 GMT DavCrav
"Everyone appreciates it's not always possible to stop ne'er do wells doing what they shouldn't, and full-cavity body searches at pub o'clock are likely inappropriate, but the original hearing determined that Morrison's clearly had not done enough to prevent the theft of confidential data."
If the standard to which companies will be held is 'was it physically possible to stop this from happening by some means?' then all employees will have to be subject to the cavity searches, because small cameras exist.
-
-
Wednesday 10th October 2018 06:19 GMT Anonymous Coward
Morrisons vicariously liable but not at fault
If you read the judgement from the original trial, you will see that that Morrisons was found not to have breached the Data Protection Act and indeed was not found to have been at fault at all. Without wishing to go into the detail of the law on vicarious liability, Morrisons was held to be vicariously liable for the criminal actions of its employee but that does not imply any fault and the judge was quite clear that Morrisons did not act unlawfully.
Imagine that an employee takes a photograph of a sensitive document to which he or she had authorised access, how is an employer supposed to detect that?
-
Wednesday 10th October 2018 13:57 GMT LucreLout
Re: Morrisons vicariously liable but not at fault
Imagine that an employee takes a photograph of a sensitive document to which he or she had authorised access, how is an employer supposed to detect that?
Why does the employee need a personal device in the workspace? Go chat to anyone that's worked at a hedgie or on a trading floor and you'll pretty quickly see that lots of places dealing with sensitive info don't permit personal phones.
If Morrisons chooses to run that risk then they should rightly be considered to have chosen to be liable.
Security is always a balance, but then, so are operational costs. Fines when an employee goes rogue are part of the cost of doing business. It's not like their customers or most staff get any say in the hiring process.
-
Thursday 11th October 2018 08:25 GMT Roland6
Re: Morrisons vicariously liable but not at fault
>Why does the employee need a personal device in the workspace?
Remember BYOD?
Also I presume you have (successfully) lobbied your employer to ban employees having personal devices in the workplace and thus you yourself don't carry a personal mobile phone....
-
Friday 12th October 2018 10:50 GMT LucreLout
Re: Morrisons vicariously liable but not at fault
Also I presume you have (successfully) lobbied your employer to ban employees having personal devices in the workplace and thus you yourself don't carry a personal mobile phone....
You presume wrong. I haven't lobbied for anything. The company has its own rules that long pre-date my working here, so yes, my personal mobile goes into a locker before I go onto the trading floor. Everyones does. It's really no kind of problem at all.
-
Friday 12th October 2018 15:25 GMT Roland6
Re: Morrisons vicariously liable but not at fault
>so yes, my personal mobile goes into a locker before I go onto the trading floor.
Right now understand where you are coming from...
When I started work (pre-mobile phones) making private phone calls whilst at work was a hassle, I'm not sure if we can easily get back to this state of affairs or whether it is desirable.
As an external consultant, since the mid 1990's I have nearly always turned up at client sites with my personal phone and laptop (ie. my tools which are owned by my business) - only leaving them in the bag/car/at home when the client provides 'tools' and specifies non-use of third-party equipment on their premises.
However, for the probably the vast majority of enterprises it is now a well established practise for people to carry around their own personal mobile phone/tablet, which may or may not be connected to the corporate IT (whether on the guest network or in many cases directly on the corporate network!!).
-
-
-
-
-
-
-
Tuesday 9th October 2018 14:15 GMT Pete 2
You shouldn't be able to get to there from here.
> ... who had legitimate access to the company’s entire payroll, published its contents online using anonymising network Tor.
While that part is undeniable, the employer should have protections in place to prevent a (legitimate) user from either taking a copy of the data to remove from the workplace, or from being able to upload it to an off-site location.
If that means that users' PCs don't have any ability to plug USB drives (or anything else) in, that would be a definite step forward. It would also stop people loading dodgy stuff onto a PC or server.
It it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too.
One could possibly go further and question the need for any office computer to have general-purpose internet access, at all.
Having those restrictions in place would also go a hell of a long way to stopping the reverse: bad people gaining access to sensitive data from outside the building.
-
Tuesday 9th October 2018 15:56 GMT DonL
Re: You shouldn't be able to get to there from here.
"It it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too."
That would indeed be the only way to stop this kind of thing from happening.
It would be helpful if they included these requirements in EU laws or guidelines. I don't think a lot of companies are doing this currently and it is therefore extremely easy for rogue employees to leak data (Either by email, http upload, ftp or USB). Also, employee privacy laws make it very difficult to detect these kind of things.
-
Tuesday 9th October 2018 16:03 GMT DavCrav
Re: You shouldn't be able to get to there from here.
"It [sic] it further means there needs to be an air gap between internal systems holding sensitive data and anything with a public internet access then that would be a good thing, too."
These are payroll computers. So they communicate with HMRC. What you are saying is that, every day, the updated HMRC stop orders, new tax codes, etc., should be verbally read off the office computer with Internet access, then dictated onto the computer that deals with payroll. (Because you also want no USB access for this computer as well.) And back again: updated PAYE details at the end of each month have to be dictated onto the Internet-enabled computer.
That won't lead to any errors ever. And still won't stop people with cameras.
Finance offices deal with invoices from companies, pay credit card bills for company cards, and many other things. All of which need the Internet.
-
Tuesday 9th October 2018 18:55 GMT Pete 2
Re: You shouldn't be able to get to there from here.
> All of which need the Internet.
But it doesn't need a public internet connection.
It just needs the specific ports to the specific address / URL. And the same applies to bank access. There is no reason for a finance computer to ever need access to Google, BBC, ToR, Facebook or anything apart from a few dedicated, preferably hard-wired, connections. Ones that would be audited and under change control.
-
Tuesday 9th October 2018 20:36 GMT Roland6
Re: You shouldn't be able to get to there from here.
>There is no reason for a finance computer to ever need access to ... anything apart from a few dedicated, preferably hard-wired, connections.
There speaks someone who has never worked in or observed an accounts/financials department...
You are also assuming the guy was accessing the (compromised) database from a finance department designated PC...
-
Wednesday 10th October 2018 13:55 GMT Loyal Commenter
Re: You shouldn't be able to get to there from here.
Computer security is easy, for anyone who has never had any sort of involvement in it.
For anyone who actually knows about it, they know it is Hard. Reading a few of Bruce Schneier's blogs, or some of his books will give you a sense of just how hard it is.
Often companies whose main business is computer security get it wrong. Morrisons is a supermarket.
-
Wednesday 10th October 2018 13:58 GMT Nick Ryan
Re: You shouldn't be able to get to there from here.
It just needs the specific ports to the specific address / URL. And the same applies to bank access. There is no reason for a finance computer to ever need access to Google, BBC, ToR, Facebook or anything apart from a few dedicated, preferably hard-wired, connections. Ones that would be audited and under change control.
A nice thought, in principle. However with SSL, load balancers, CDNs and anti-DOS protection services it just doesn't, and can't work in practice.
-
-
-
Tuesday 9th October 2018 16:03 GMT jabuzz
Re: You shouldn't be able to get to there from here.
The thing is it is almost impossible to stop someone who wants to getting data off a system. I am sure you could write say a PowerShell script to display a series of QR codes or even just a blinking square of the screen from a file that I can capture via video on my mobile phone with an app that turned them back into the original file and then walk out the building. How do you propose stopping me do that? Perhaps I can get the PowerShell script in through the simple expediency of emailing a PDF of the source to myself.
A 200GB microSD card is £55 on Amazon with a 400GB one only £130. If you willing to pay through the nose you can get a 512GB one too though it will set you back £290.
Would Morrisons be vicarious liable if an employee walked into a store and gunned people down?
-
Tuesday 9th October 2018 18:54 GMT katrinab
Re: You shouldn't be able to get to there from here.
"Would Morrisons be vicarious liable if an employee walked into a store and gunned people down?"
Yes they would, and there was actually a case along those lines in 2016, except that the employee attacked the customer with his fists rather than a gun.
-
Wednesday 10th October 2018 06:19 GMT Anonymous Coward
Re: You shouldn't be able to get to there from here.
This is correct and an example of where the law on vicarious liability needs to be reviewed. If an employee goes rogue, despite all the best efforts of his or her employer, the employer should not automatically be vicariously liable for the employee's actions.
-
-
-
-
-
Tuesday 9th October 2018 16:03 GMT sorry, what?
Re: English Idio.....
It seems that someone eradicated use of that abbreviation - I certainly can't find it.
Personally, as a native Brit of rather more years than I care to mention, it's not an abbreviation I'd have used for any of the suggested words. I'd have said "dosh" instead of "compensation", "mix" for "composition" and "muck" for "compost".
-
Tuesday 9th October 2018 15:56 GMT alain williams
I do have some sympathy for Morrisons
Andrew Skelton was not a director, neither was he part of a team doing something 'furthering corporate aims' that resulted in the data loss or, as is often the case, not doing things that they clearly should have done to prevent the data loss. In order to operate a company does need to trust some individuals, it is not possible to lock everything down so that someone internal trying to nick data can be prevented 100% of the time.
Andrew Skelton should have the book thrown at him, he pay the fine, if it means that he looses his house then so be it - it might act as a deterrent for others.
This should, however, not be used as an excuse to allow all corporations off the hook by blaming everything on rogue employees.
-
Tuesday 9th October 2018 19:47 GMT Anonymous Coward
Re: I don't have any sympathy for Morrisons
it is not possible to lock everything down so that someone internal trying to nick data can be prevented 100% of the time
IME most companies do very little in terms of real data security. Yes, everybody has to jump through hoops and train in respect of DPA and GDPR, but leakage still it goes on. Despite the ready availability of suitable technology, most companies don't use any proper access control and monitoring of sensitive files and databases. Emailing large files in and out is too easy (but should rarely be necessary if the company provides the right tools, although few do), simple approaches like disabling demountable storage are overlooked, etc etc. Yes, if security had been better and he'd been clever enough he might have found a way - but that doesn't appear to be the case. And even then, Morrisons were the custodians, they were the ones who lost it. If I put £500 in the bank, I expect them to keep it safe, rather than say "it wasn't us, it was that rotten armed robber". As an auditor, this twit should have had access on demand for almost anything, but that doesn't mean that he should have uncontrolled, unmonitored access, nor the ability to ex-filtrate data.
Morrisons are fools for pursuing this case, because it refreshes public memory that they were incompetent (in my view, as per above), and it shows them in denial. Having being ordered by a court to pay, they should then have arranged a suitable non-disclosure settlement to keep it from bobbing up in the press. Instead the twerps try and appeal. I hope they lose. And I'll bear this in mind for future discretionary purchases so that no matter how small, their poor response has a commercial impact.
-
Tuesday 9th October 2018 22:26 GMT Roland6
Re: I don't have any sympathy for Morrisons
>Morrisons are fools for pursuing this case
Err no. You do realise that if Morrisons lose, JMW will have opened the door wide for all the other ambulance chasers...
Remember this case isn't about the data breach as such but "compensation for the distress caused". Given Morrisons was awarded £170,000 in compensation, it would seem that a cup of coffee from the Morrisons in-store cafe for every employee is about the right level of compensation...
-
Wednesday 10th October 2018 03:52 GMT eldakka
Re: I don't have any sympathy for Morrisons
Having being ordered by a court to pay, they should then have arranged a suitable non-disclosure settlement to keep it from bobbing up in the press.
Once you have been ordered by the court to pay, you no longer have the option of setting your own conditions (i.e. requiring a NDA). You can only do that before a court judgement is made and then having the case dismissed (or never lodging it in the first place) before said judgement is reached.
-
-
Tuesday 9th October 2018 15:56 GMT Anonymous Coward
I'm guessing my opinion is going to be unpopular but here it is.
If as part of his role he should have had access to payroll data and he agreed to sign off on confidentiality then Morrisons are not to blame.
If Morrisons are found to be at blame then that will require a huge shift in IT policy, access and permissions across many organisations.
I'm on the side of Morrisons on this one. The perpetrator has already been jailed.
-
Tuesday 9th October 2018 19:47 GMT Anonymous Coward
"If as part of his role he should have had access to payroll data and he agreed to sign off on confidentiality then Morrisons are not to blame."
They should be. This wasn't a nation state grade, zero day, fully stealthed APT, it was some knob end employee with a grudge. He simply shouldn't have bulk access to download virtually the entire payroll data. Even in his job, where's the real day to day requirement to take a local copy of that sort of data? I've worked close to these systems, and even had work machines contaminated with unnecessary personal data - but as I wasn't dodgy nothing bad happened. But it shouldn't have been possible.
So I think you're wrong. Blaming rogue third parties for your company's data loss is merely lazy, third rate defensiveness.
-
Tuesday 9th October 2018 20:36 GMT Roland6
>I've worked close to these systems, and even had work machines contaminated with unnecessary personal data - but as I wasn't dodgy nothing bad happened. But it shouldn't have been possible.
It is surprising how many IT people throw their toys out of the pram when you limit their access to systems, many seem to think that it is okay that they can access ALL systems and ALL data because "they ain't doing anything dodgy".
In the new world, I wonder how many IT people realise that having such access now puts them at the top of any list of suspects when an unauthorised data disclosure happens...
-
-
-
Tuesday 9th October 2018 15:57 GMT TwistedPsycho
We are missing one important question...
.... how did the criminal remove the data?
Skelton was a senior auditor, according to the BBC article at the time of his sentencing, which would suggest to the outsider that the person has responsibilities beyond that of a standard office bod.
If he was just able to post it to Dropbox then yes there might be a case, but if the company took reasonable steps then you won't stop someone who has a determined grudge.
-
-
Wednesday 10th October 2018 07:21 GMT Anonymous Coward
Re: We are missing one important question...
This is incorrect.
If Morrisons had been at fault it would have been found to have been in breach of article 7 of the DPA which it was not. In addition, the judge gave Morrisons right of appeal without an application whereas the plaintiffs were denied the right of appeal on the finding that Morrisons was not at fault.
If Morrisons had been at fault, it would have been liable as opposed to vicariously liable. This might seem like a narrow legal distinction but it isn't.
-
-
Tuesday 9th October 2018 18:54 GMT Roland6
Re: We are missing one important question...
>If he was just able to post it to Dropbox then yes there might be a case,
You only need a web browser with public internet access to achieve a file upload, so the question is whether it is reasonable to have a web browser installed on a company PC...
-
-
Tuesday 9th October 2018 16:03 GMT adam payne
Four years ago a disgruntled Morrisons employee, Andrew Skelton, who had legitimate access to the company’s entire payroll, published its contents online using anonymising network Tor.
It sounds like the controls in place at the time were insufficient to stop a person from copying the entire database. If the controls in place were insufficient to stop the theft then you are in some ways liable.
What controls have been put in place since this happened?
-
Tuesday 9th October 2018 18:54 GMT Andy Humphreys
Yep I would agree with above. Why should Morrisons not have to take some responsibility for what I'm effect is a personal data breach that - with better controls - could have either been made much more difficult to achieve, or could have been detected much sooner, perhaps even thwarted?
If this were a Financial Services Org, then excrement would be hitting the fan and sticking..
There are plenty of technologies out there able to help lock down the use of Tor etc. and other DLP bits and pieces, not to mention logging, monitoring and alerting..
I can't see much evidence that any of this was in effective use..
-
-
-
Thursday 11th October 2018 04:37 GMT Andy Humphreys
...He used TOR on his personal computer.
OK well I'm obviously not as close to it as you are, but fair enough on that point if that's the case.
I'm still not so sure that's any better for Morrisons. He still managed to get the data out of Morrisons, and then onto/through his PC to send it through Tor. Still indicates a sub-standard control structure in my opinion..
-
-
-
-
-
Tuesday 9th October 2018 18:55 GMT IWVC
What are the legal requirements for data security
I'm with Morrisons on this one - but there again it wasn't my data that was leaked.
Not sure what the legislation requires but if there is an expectation that there must be some level of reasonable provision to prevent unauthorised theft then the legal debate should be interesting
-
Tuesday 9th October 2018 18:55 GMT Claptrap314
"Industry Standard"
The sad fact is, there are precious few companies that are not extremely vulnerable to this sort of thing. "Senior Auditor" is not a title you hand a green grad. Implementing controls to detect issues at this level is probably doable. Of course, whomever implements THOSE has the keys as well...
I'm all for improving security at pretty much all levels, but at some point, you need to limit these claims to situations where the company in question is clearly lagging what most similar companies are doing.
-
Tuesday 9th October 2018 19:47 GMT TechDrone
I guess you could argue that nobody has any business running a ToR client on a PC in a supermarket, so blocking 9001/tcp outbound would have stopped that for the 2 minutes it would take to reconfigure ToR to use a different port. And you can't really block outbound 80/tcp or 443/tcp. And thats assuming the files were uploaded from within their network and not put onto some other media and uploaded from elsewhere.
An awful lot of finance work consists - rightly or wrongly - of extracting data from one system and then loading it on to another, and I would expect an auditor to need the ability to do mass extracts to feed into audit tools which quite possibly sit on another machine.
I can't help feeling that Morrisons are being blamed for being a victim. I guess the different between them and the ****** who did this, is Morrisons have more money. A lawyer friend once told me it's not about justice or right or wrong, but who you can most easily sue.
-
Tuesday 9th October 2018 22:27 GMT Andy Humphreys
..in reply to Techdrone
Preventing employees from being able to install the software in the first place would have been a better move. A content/category filtering proxy or firewall with TLS inspection, might help to discover and block traffic that did make it to the border. U/NBA devices might help to detect an anomoly.
My point is that for an organisation the size of Morrisons, I should hope that they do have these sorts of measures and controls in place. I've seen organisations much smaller, who can achieve this, so why not them? Exfiltrations in the manner as you described, through 80/443 would be an absolute triviality without those proxy/FW measures. Finally, Insider accounts for around 75% of all data breaches. The controls absolutely have to take into priority those sorts of potential incidents, be they deliberate or accidental.
-
Tuesday 9th October 2018 23:34 GMT alain williams
Quis auditdiet ipsos Auditores?
I guess you could argue that nobody has any business running a ToR client on a PC in a supermarket, so blocking 9001/tcp outbound would have stopped that for the 2 minutes
We are told that the data was uploaded via ToR but do not know if that is how the data was taken off the Morrison's servers. It could have been walked out of the building on a memory stick and uploaded via ToR at home or in a cyber-cafe.
Since he was an auditor he could have asked for access to the backup system/media/... to check that it was being done properly or that it could be restored or ... or ... One of many reasons to get his hands on a copy - then swipe a copy in one of many innocuous ways.
"Who audits the Auditors ?"
-
Wednesday 10th October 2018 13:38 GMT Norman Nescio
Re: Quis auditdiet ipsos Auditores?
Generally, auditors do not work alone, for reasons that should be obvious, but it seems are not.
Audit teams descend upon you partly because no single member should have access to data without someone else in the team of equal or greater authority signing off on that access. Usually, a senior (internal) auditor (which is what Andrew Skelton was) will be signing off on access by junior members of the team access/collect, and will be unlikely to be 'at the coal-face', as the senior auditor's actions will need to be signed-off by the Head of Internal Audit, or some similar entity.
Now, if he instructs a junior member to grab a copy of the payroll database, he can't then sign off the access - that is an obvious deficient control. What happens is an Audit Plan is made in which taking a copy of the database is a part (but see later about normal practice), and it is signed-off by the Head of Internal Audit (or possibly another, independent, Senior Internal Auditor). He should not be able to waltz in on his own authority and grab a copy of whatever he likes. 'Fishing' expeditions are possible, but everything accessed or taken needs to be recorded and counter-signed, with the log audited by someone else. Audit is all about following a process in painful detail.
External Auditors come and review Internal Audit's working practices every so often.
Obviously, once a copy of data is (legitimately) on an Internal Audit's computer(s)*, you pretty much have to trust that it is not being misused - I would not be surprised to learn that in this case a Payroll Audit had just taken place, although I would understand normal practice would be not to take a copy of the payroll database, but to take a (sufficiently large to be representative) random sample of records to check for problems (for reasons that should be obvious).
Being an internal auditor should not give you 'the keys to the kingdom'. It should give you monitored and audited access to a representative sample of parts of the kingdom, precisely to prevent a disgruntled auditor causing great damage - which is what happened in this case.
I would expect one of the audit findings on the Payroll Audit would have been a deficiency in access controls, unless there was a Very Good Reason that the audit department needed a full copy of the database. Audits generally proceed on a representative sample of data.
Audit departments have to be 'squeaky clean' with regard to their own process controls, as they are the ones telling the rest of the company what best practice should be. It doesn't mean you avoid all risk - but deficiencies need to be recorded and agreed as allowable by the board of directors who have the legal responsibility for the proper running of the company. There is nowhere to hide.
Sorry if I've gone on a bit. My years in Internal Audit are coming back to haunt me and I'm getting flashbacks, even though I was never formally certified.
NN
*Computers used for data analysis by internal audit would generally not have Internet access, and follow the rule that client data can be imported or destroyed, but never exported. The only data that comes off those machines are the results, with the exception of secure backups, which are retained so that the audit can be reviewed, either by a separate internal audit team; or by the external auditors.
-
Wednesday 10th October 2018 13:58 GMT EnviableOne
Re: Quis auditdiet ipsos Auditores?
IIRC the data was removed from morrisions and uploaded from a personal machine.
IMHO, Morrisons should be liable for not taking due care of the payroll data of its employees.
Auditors should be able to see and verify, but not in any terms remove PII.
If this was under GDPR, regs there would be no case as Both would be liable.
-
Wednesday 10th October 2018 13:59 GMT Nick Ryan
Re: Quis auditdiet ipsos Auditores?
I read it that he just got a copy of the data, in some form - it really didn't to be a native format, just an export, and took this offsite and uploaded it from a different system.
It's a classic case of data security vs usability - the only truly secure data is data that nobody can ever access, which really means data that you do not hold. Beyond this it's a balance of security risk vs usability.
This was data that had to be recorded, access to it was required and this access produced a certain level of risk. Morrison's responsibility is to reduce this risk to acceptable levels and beyond there is little more that they can do. Given that the previous case didn't highlight significant failures on Morrison's part it looks to be down to the individual in this case.
-
-
-
-
-
Friday 12th October 2018 00:13 GMT Roland6
Re: For those against Morrisons
>...but you can have systems in place which record who access the data and what they accessed and maybe even flag up when one person access large amounts of data.
Yes, however these systems don't stop one person accessing large amounts of data.
Today I was on a client site, the FD was doing the payroll. For whatever reason, they had to take an extract from the DB and populate an Excel spreadsheet, which then got forwarded to the company that ran the payroll.
So in your example system, it would have flagged that FD had accessed the data and even that they had accessed a large amount of data, only issue is their access was 100% legitimate. However, once the data had been extracted it would be out of sight of the data access monitor and thus copied without oversight.
-
-
Thursday 10th October 2019 14:27 GMT Markymark7345
Data leak
As an ex employed of Morrison's, yes all my personal details were uploaded. Within several hours by account had been breached with hundreds of data down loads which resulted in my bank closing down and freezing my accounts ultimately not enabling me to withdraw or pay outgoings for several days. My details as n.I number was posted and above all enough of my details were online for any person with a brain could obtain credit by fraud which in effect is what happened to myself . Morrison's were made aware of this at the time and did they compensate me? NO. Did they put food in my cupboard to feed my family when I had no access to my own fjnds ?NO. Did Morrison's help me in any way when this happened to me? NO.
So ANY person posting comments to state Morrison's were not liable for whatever circumstance please consider this ... Did Morrison's get a conviction of the employee responsible? YES. Did Morrison's secure any means of financial compensation from that employee yes. So if Morrison's can obtain compensation from that employees breach as well as not give a TOSS about my loss as an employee at the time then why should I not pursue Morrison's for compensation just in the same way they pursued and gained compensation from skilton... What's good enough for one is good enough for the other. Regardless of what it cost Morrison's why should it have cost me and caused me and my family distress which Morrison's turned a blind eye to?? Morrison's are at fault should be found ultimately liable and pay for there employees distress and in some cases loss. Regardless of what technical legal arguments that is what about the average Joe a committed employee of the company that Morrison's simply did not give two hoots about? Because I'm telling you now this is Morrison's through and throgh.