News broke recently that one of the UK’s leading supermarkets Morrisons will potentially be required to pay out a ‘vast’ sum to employees following a 2014 security breach which seen the payroll details of 100,000 members of staff leaked. Commenting on this, Christopher Littlejohns, EMEA Manager at Synopsys said:
On the face of it, Morrissons loss in court was in relation to a typical “disgruntled employee” with an axe to grind issue. However, there was some significant variance in this case. Firstly, the employee was employed by the firms auditors, KPMG, and was therefore not a direct employee. This was why Morrissons were found “vicariously liable” as opposed to “primarily liable”, in that they approved the said individual from KPMG to act on behalf of Morrrissons during the transfer and use of highly sensitive personal data.
Secondly, the processes that Morrissons and KPMG followed for the storage and transfer of the data was not really found at fault. They used encryption on USB devices on both sides for example. However, there was a window of opportunity for the KPMG employee to retain unencrypted data on his own laptop. This is where the weakness lay, and he was able to exploit this weakness for his own means by retaining an unencrypted copy which he subsequently transferred to his personal PC.
The lessons to be learned here are twofold. Firstly, you may be found liable as an employer for third parties behaviour to which you grant responsibility for processing sensitive data, therefore you should ensure your supplier has adequate checks and balances of the suitability of such people to act on your behalf. This should include revealing information that is pertinent to any potential changes in that suitability.
In this particular case, that appeared to be the case, as the KPMG employee received a disciplinary procedure in relation to his work with Morrissons, hence the grievance he had and his subsequent actions. Secondly, although the costs may be disproportionate to the perceived risk, additional procedure and oversight could have prevented the opportunity for the retention of a copy of the data. E.g. a second pair of eyes on the transfer process.