Morrison's supermarket (Pic: Rept0n1x/Wikimedia)
Morrisons has lost the latest in a series of challenges to a High Court ruling that makes the company liable for a significant data breach involving thousands of employees details.
The case is the first data leak class action in the UK, and could open the door to similar cases in the future, permanently changing the business risk factors around transferring and storing sensitive employee data.
Morrisons said it would appeal to the Supreme Court against the upheld ruling. The case was originally brought by workers affected by the breach.
In 2014 disaffected employee Andrew Skelton stole data concerning salary details of nearly 100,000 staff at the supermarket chain, including addresses, bank account details, and leaked it online.
Skelton had legitimate access to the data in order to securely transfer it to auditor KPMG, but during the process made an unauthorised copy. He was jailed for eight years in 2015 for fraud, securing unauthorised access to computer material and disclosing personal data.
Andy Richmond, UK VP at Varonis said: "CEOs and board members should take note of the High Court decision – that the actions of one rogue employee can very well lead to group litigation down the road. Today's’ ruling sets a precedent that victims of breaches will have their day in court and the responsible parties will indeed be held accountable. With the GDPR now in place, expect these penalties and lawsuits to become increasingly common and costly."
The company issued a statement after the hearing: "A former employee of Morrisons used his position to steal data about our colleagues and then place it on the internet and he's been found guilty for his crimes.
"Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged. In fact, we are not aware that anybody suffered any direct financial loss.
"We believe we should not be held responsible, so that's why we will now appeal to the Supreme Court."
Christopher Littlejohns, EMEA manager at Synopsys said that the ruling will force companies to evolve their risk perception: "The lessons to be learned here are twofold. Firstly, you may be found liable as an employer for third parties behaviour to which you grant responsibility for processing sensitive data, therefore you should ensure your supplier has adequate checks and balances of the suitability of such people to act on your behalf. This should include revealing information that is pertinent to any potential changes in that suitability. Secondly, although the costs may be disproportionate to the perceived risk, additional procedure and oversight could have prevented the opportunity for the retention of a copy of the data. E.g. a second pair of eyes on the transfer process."
However, Oz Alashe, CEO of CybSafe took a pragmatic stance: "It is hard to see what Morrisons could have realistically done to prevent this situation from arising. Nevertheless, the message from today’s ruling is clear: even when a company is the victim of criminal activity from within its own organisation, ultimate responsibility for keeping personal data secure rests on its shoulders. This failed appeal serves as a serious warning for business leaders across the country."
Indeed, some experts believe that the result of the ruling could go even further, as Bill Evans, senior director at One Identity, told SC Media UK: "The recent ruling against Morrisons could pave a new way for enterprising threat actors to extort money from corporations. From this point forward, every business in the UK must redouble its efforts to protect employee and customer data as the cost and frequency of ransomware attacks is likely to increase significantly. In part, this is because the risks and costs associated with the loss of employee data have increased as employees can claim compensation for the distress of being impacted by a breach. No longer must they prove negative financial impact; simply the act of having their information compromised is enough to incur loss to the company."