Cyber-attacks: Business’ Liability for Data and Cyber Breaches

October 15, 2019

On 12th January 2014, a supermarket employee with a grudge posted the personal details of 99,998 fellow employees on a file-sharing website contained within the Dark Web. The details included the names, addresses, sex, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers, and salary details of those affected.  Three months later, a disc containing the uploaded material was received by three news outlets. The supermarket was promptly informed.

Within a few hours, the police were called, and the website containing the information was taken down.  It was swiftly established that only a few employees had access to the personal data concerned which was held in a, supposedly, secure internal business system (“PeopleSoft”).   Following forensic investigations, it was revealed the data had been copied during the afternoon of 14th November 2013 by an employee who was arrested three days later.  However, it became apparent that the arrested employee had been framed by the real perpetrator, who was subsequently arrested. 

You would be forgiven for thinking the above is the premise for a movie script.  It is not. The employee, Andrew Skelton, a senior IT auditor who worked for Morrison’s Supermarket, was charged and convicted of offences under the Computer Misuse Act 1990 and Section 55 of the Data Protection Act 1998.  

Skelton is currently serving an eight-year prison sentence, and Morrison’s is arguably dealing with a longer-lasting punishment.  In a civil claim brought by the affected employees, it was found vicariously liable for Skelton’s actions, even though:

  • the Court acknowledged Morrison’s had comprehensive data protection procedures in place;
  • Skelton had copied the data on his personal computer outside of work hours, and;
  • Skelton’s intention was to harm his employer, not the employees’ whose data he violated.

The Court of Appeal’s decision in Various Claimants v WM Morrison Supermarkets Plc sent shockwaves through the business community.  The supermarket is appealing, with the case set to be heard by the Supreme Court in November.   But as things stand, all employers must be alive to their data protection and cybersecurity duties or face ruinous consequences.

Prevention of data and cyber breaches are not just the preserve of multi-national corporations like Morrisons.  Micro, small, and medium enterprises have strict obligations to protect the data they hold from theft or loss. Understanding the type and scope of your duties will enable you to define processes and procedures which will ensure you are doing all you can to protect the interests of your business, clients, partners, and third parties.

First GDPR fines

Much has been said and written about the EU’s General Data Protection Regulations (GDPR) and the UK’s Data Protection Act 2018 (DPA 2018), which have now been in force for over a year.  Significant fines have been issued, including some for eye-watering amounts levelled at Big Tech. However, across Europe, SMEs have also incurred penalties.

In November 2018, A German chat site was fined €20,000 (£17,809) following a major data breach.  Knuddels.de suffered a breach that saw information relating to 330,000 users’, such as email addresses and passwords, placed on Mega.nz and Pastebin.com.

LfDI Baden-Württemberg, the regional data protection authority stated, “by storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a).” 

In Portugal, the Portuguese Central Hospital of Barreiro Montijo was fined €400,000 after staff accessed patient data via fake profiles.

No GDPR fines have been issued by the Information Commissioners Office (ICO) as yet.  But British Airways is facing a record fine of £183m for last year’s data leakage (1.5 percent of its turnover), and the hotel chain Marriott could have £99m (3 percent) struck off its balance sheet.

Cyber-attacks

Cyber-attacks are politically or economically motivated invasions of an organisation’s computer systems.  They are generally launched over the Internet and are carried out through the spread of malicious programs (viruses), unauthorised web access, fake websites, remotely controlled IoT applications, and file sharing services.

Examples of cyber-attack methods include:

  • Malware – malicious software such as spyware, ransomware, viruses, or worms which breaches a computer network, installing dangerous software which can paralyse the network or lead to the theft of data.
  • Phishing – the sending of fraudulent communications through an apparently reputable source, such as a company’s email, to fraudulently steal personal data.
  • Man-in-the-Middle – the attacker places themselves in the middle of a transaction (for example transferring a house purchase deposit).  Software is secretly installed to view and steal the victim’s information.
  • Zero-day exploit – an attacker exploits an unknown flaw in an organisation’s software, hardware, or firmware.  Because the flaw is undiscovered, no patch has been created, leaving it open to breach.

Research by Hiscox shows that 55% of firms across the UK, Germany, the US, Belgium, France, the Netherlands and Spain had faced a cyber-attack in 2019, up from 40% last year, with average losses soaring from $229,000 (£176,000) to $369,000.  However, despite the risks, UK companies had the lowest level of cybersecurity budgets; less than $900,000 on average compared with $1.46m across the group.

When it comes to liability for cyber and data breaches, the law is clear – the organisation can be held responsible under the GDPR/Data Protection Act 2018 and be liable for a civil claim for data breach/cyber-attacks.  And as illustrated by the Morrison’s Case, liability can be direct or vicarious.

It is imperative to prioritise your cybersecurity policies and procedures, regardless of the size of your organisation.  And if a breach occurs, seek legal advice immediately so independent evidence can be swiftly gathered and ascertained. Because cyber-criminals are always one step ahead of detection and protection technology.  It is not a question of if they will strike your business, but when.

How can LawBite help?

At LawBite, we can help guide businesses through the maze of initial compliance and with the process of remaining compliant with the GDPR obligations.

Our suite of GDPR products provides the ideal solution to get your business fully compliant.

While if you remain somewhat uncertain about your position regarding the full compliance of your data protection procedures you can check your position via our handy GDPR Checklist.

For further business legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.