Safeguarding Your Business Against A Data Breach
13th March 2019A recent Court of Appeal ruling upheld a decision that found supermarket Morrisons vicariously liable for data theft by a disgruntled employee that led to thousands of personal employee details being posted online. This means it could face paying millions in compensation, even though it was not implicit in the breach.
Andrew Dix, Sales Director at UK insurance broker Gallagher, based in Metro House in Chichester, discusses what this means for businesses and how they can protect themselves against a similar crisis.
The Case
Current and former workers of Morrisons brought a claim against the supermarket after a disgruntled employee deliberately leaked the personal data – including salary and bank details – of nearly 100,000 staff, both online and to newspapers, exposing them to potential identify theft and financial loss.
The employee was jailed for eight years in 2015 after being convicted of fraud, securing unauthorised access to computer material and disclosing personal data.
In spite of incurring more than £2 million in breach response costs, the High Court ruled in the civil case that Morrisons was vicariously liable for breaches of privacy and confidence as well as data protection laws.
Last October, the Court of Appeal upheld that decision. It ruled that the supermarket must pay compensation for the upset and distress caused by this breach.
Morrisons now plans to take its appeal to the Supreme Court. This is a landmark case as it means that other employers could be held liable for criminal misuse of third-party data caused by an employee even if they were not implicit in the breach.
What are the risks?
With extensive data on employees and potentially customers, companies could be susceptible to data breaches and theft. If a situation arises, this could cause serious financial and time constraints to correct the breach.
This can include:
- The costs of notifying affected data subjects, offering credit monitoring and setting up call centres for concerned customers
- Fees for a forensic identification of the reason for the breach as well as potentially blocking the hacker or removing the malware from their systems
- Legal costs if any regulatory action is taken
- Costs and compensation awards for affected employees and customers
- It is also possible that funds or assets can be stolen through the manipulation or misuse of IT systems by a third party.
What can be done?
Find out with expert advice from Gallagher here.