Following forensic investigations, it was revealed the data had been copied during the afternoon of 14th November 2013 by an employee who was arrested three days later. However, it became apparent that the arrested employee had been framed by the real perpetrator, who was subsequently arrested. You would be forgiven for thinking the above is the premise for a movie script. It is not. The employee, Andrew Skelton, a senior IT auditor who worked for Morrison’s Supermarket, was charged and convicted of offences under the Computer Misuse Act 1990 and Section 55 of the Data Protection Act 1998.
Skelton is currently serving an eight-year prison sentence, and Morrison’s is arguably dealing with a longer-lasting punishment. In a civil claim brought by the affected employees, it was found vicariously liable for Skelton’s actions, even though:
- the Court acknowledged Morrison’s had comprehensive data protection procedures in place;
- Skelton had copied the data on his personal computer outside of work hours, and;
- Skelton’s intention was to harm his employer, not the employees’ whose data he violated.
The Court of Appeal’s decision in Various Claimants v WM Morrison Supermarkets Plc sent shockwaves through the business community. The supermarket is appealing, with the case set to be heard by the Supreme Court in November. But as things stand, all employers must be alive to their data protection and cybersecurity duties or face ruinous consequences. Prevention of data and cyber breaches are not just the preserve of multi-national corporations like Morrisons. Micro, small, and medium enterprises have strict obligations to protect the data they hold from theft or loss. Understanding the type and scope of your duties will enable you to define processes and procedures which will ensure you are doing all you can to protect the interests of your business, clients, partners, and third parties.
First GDPR fines
- Malware – malicious software such as spyware, ransomware, viruses, or worms which breaches a computer network, installing dangerous software which can paralyse the network or lead to the theft of data.
- Phishing – the sending of fraudulent communications through an apparently reputable source, such as a company’s email, to fraudulently steal personal data.
- Man-in-the-Middle – the attacker places themselves in the middle of a transaction (for example transferring a house purchase deposit). Software is secretly installed to view and steal the victim’s information.
- Zero-day exploit – an attacker exploits an unknown flaw in an organisation’s software, hardware, or firmware. Because the flaw is undiscovered, no patch has been created, leaving it open to breach.
Research by Hiscox shows that 55% of firms across the UK, Germany, the US, Belgium, France, the Netherlands and Spain had faced a cyber-attack in 2019, up from 40% last year, with average losses soaring from $229,000 (£176,000) to $369,000. However, despite the risks, UK companies had the lowest level of cybersecurity budgets; less than $900,000 on average compared with $1.46m across the group. When it comes to liability for cyber and data breaches, the law is clear – the organisation can be held responsible under the GDPR/Data Protection Act 2018 and be liable for a civil claim for data breach/cyber-attacks. And as illustrated by the Morrison’s Case, liability can be direct or vicarious. It is imperative to prioritise your cybersecurity policies and procedures, regardless of the size of your organisation. And if a breach occurs, seek legal advice immediately so independent evidence can be swiftly gathered and ascertained. Because cyber-criminals are always one step ahead of detection and protection technology. It is not a question of if they will strike your business, but when.
How can LawBite help?
Our suite of GDPR products provides the ideal solution to get your business fully compliant. While if you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist. For further GDPR legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.