back to article Supreme Court of UK gives Morrisons the go-ahead for mega data leak liability appeal

Brit supermarket chain WM Morrisons is headed for the Supreme Court to fight an earlier ruling that made it liable for one disgruntled employee dumping the personal details of 100,000 colleagues online. As we reported back in October, the Court of Appeal upheld an earlier verdict holding the supermarket chain responsible for …

  1. alain williams Silver badge

    If Morrisons is liable for what an employee did ...

    then is the USA Commander in Chief (currently one D Trump) liable for what was released by Chelsea Manning ?

    1. DontFeedTheTrolls Silver badge
      Headmaster

      Re: If Morrisons is liable for what an employee did ...

      "The buck stops here"

      Even if the company took reasonable precautions to protect the data, they did lose the data.

      Policies and procedures are put in place to minimise the risk of rogue employees, however the entity is responsible for ensuring the data is protected, so the entity and its officers must be held to account, whether that's as an individual (Chief) level if they have failed, or the company (DoD) as a whole.

      1. steviebuk Silver badge

        Re: If Morrisons is liable for what an employee did ...

        I disagree. You'd have a point if the data was left out on a desk easy to grab. But if the person goes to extreme lengths due to finding a flaw in process, then as long as that flaw isn't something that's stupidly obvious that should of been plugged ages ago or a hole that was previously report but ignored, then you can't really blame the company owners for the lose.

    2. Anonymous Coward
      Anonymous Coward

      Re: If Morrisons is liable for what an employee did ...

      Why was he disciplined at all? It's perfectly normal to stick your outgoing bills, letters etc in the work post rather than take time out to visit a Post Office.

      1. paulf Silver badge
        WTF?

        Re: If Morrisons is liable for what an employee did ...

        The current paulf & co do allow employees to put personal items in the outgoing mail and have them franked at the rate prevailing from Royal Mail; BUT employees are expected to indicate they're personal items and to reimburse the company for the postage. This is a big benefit (at a cost to the company of having to deal with the extra franking and cash handling) as it saves a trip to the post office AND we pay the Mailmark Franked rate (where standard 1st class is 1p cheaper than a 2nd class stamp) but it's not a freebie nor could one reasonably expect it to be.

        1. Anonymous Coward
          Anonymous Coward

          Re: If Morrisons is liable for what an employee did ...

          "at a cost to the company of having to deal with the extra franking and cash handling"

          Well Franking costs pretty much nothing, and when you start charging for postage that probably costs as much to deal with as the cost of the post you are charging for.

          I have always just put personal items like bill payments, etc in the corporate out tray and considered it as perfectly normal and reasonable to do so.

  2. heyrick Silver badge
    Stop

    Should companies be on the hook for criminal employees' doings?

    Logically - YES.

    They requested the information, they held the information, they failed to provide mechanisms to stop somebody grabbing it all, not to mention the question of vetting the employee access, functional restrictions and/or oversight.

    This has to result in a Yes verdict, otherwise every data breach from that day forward will be a case of "rogue employee, nothing to do with us".

    1. Twanky
      Facepalm

      Re: Should companies be on the hook for criminal employees' doings?

      Yes. I agree. Unless the company can show that they took all reasonable precautions against a rogue employee misusing the information... Reasonable precautions would include locking down removable media, restricting inbound and outbound network traffic, only allowing access to aggregate/summary data for selections of more than a certain size and many many more. Oh yes, and no BYOD.

      1. Doctor Syntax Silver badge

        Re: Should companies be on the hook for criminal employees' doings?

        "Reasonable precautions would include"...either restricting access to an employee who's been disciplined or keeping an eye on him if he has to have access.

      2. Nick Kew Silver badge

        Re: Should companies be on the hook for criminal employees' doings?

        With that level of "reasonable" precautions, who would work there? I would rapidly take offence at a system designed on the premise that I was guilty of criminal intent and needed to be stopped.

        And who will implement such a system? What if they themselves turn rogue? It's people all the way down!

        Even highly-classified military stuff is secured against employees only to the extent that they won't *accidentally* leak. An employee deliberately setting out to leak - from a spy to a whistleblower - will more-likely-than-not succeed if they make a serious effort.

        1. The Original Steve

          Re: Should companies be on the hook for criminal employees' doings?

          " I would rapidly take offence at a system designed on the premise that I was guilty of criminal intent and needed to be stopped."

          Funny that.

          That's precisely how I design the Infrastructure I design and implement.

          Assume EVERYONE is a malicious actor and/or an idiot.

          An auditor doesn't have any special permissions. They'll have what they need for their job and not an ACL more. Certainly nobody needs access to the whole payroll database on a machine that hasn't been locked down.

          1. Anonymous Coward
            Anonymous Coward

            Re: Should companies be on the hook for criminal employees' doings?

            Just to point out, (networked) backup software can throw a spanner into the workings of any good permissions/auditing system.

            If someone gets hold of the backup system's login credentials, it's often a case of "game over" security wise.

        2. Twanky

          Re: Should companies be on the hook for criminal employees' doings?

          A thought-provoking response from Nick Kew - thank you, Have an up-vote - though I disagree.

          In response, I would suggest that one test of whether the precautions are 'reasonable' would be to examine the risk/impact for the company. These days, infringing GDPR can have very serious repercussions for a company so although the risk may be the same as before, the impact is much higher. I don't know if the events in question are pre- or post-GDPR but companies should have been preparing long before the deadline. Also, I would contend that the majority of the precautions I suggested would be the same to prevent malware getting onto and/or ex-filtrating information from systems handling sensitive (personal, in Morrisons case) information; and there's no reason for an employee to feel they're being unfairly treated.

          As for countermeasures against spies/whistleblowers: well, that's why a court should decide if the precautions were reasonable. If a case has come to court they clearly weren't adequate but that's a different matter.

        3. Kubla Cant Silver badge

          Re: Should companies be on the hook for criminal employees' doings?

          I would rapidly take offence at a system designed on the premise that I was guilty of criminal intent and needed to be stopped.

          So you'd never take a job where you need a pass to gain access to the office, then have to log in to use computer systems, and even then you can't access much of the stored data? I don't give much for your chances of finding employment.

          Personally, far from resenting information security features that restrict my capabilities, I mostly value them. It's tiresome to have to jump through hoops to access anything sensitive, but it's reassuring protection against inadvertently damaging or revealing stuff.

      3. Anonymous Coward
        Anonymous Coward

        Re: Should companies be on the hook for criminal employees' doings?

        @Twanky

        > Yes. I agree. Unless the company can show that they took all reasonable precautions against a rogue employee misusing the information.

        There is no 'unless' here. Morrisons should be liable. Taking all reasonable precautions can (and should) reduce the fine but it can't absolve them of responsibility.

        1. Twanky

          Re: Should companies be on the hook for criminal employees' doings?

          Fair point AC. Yes, the punishment should fit the crime. If they've been lax they should be punished. If not then they get a token slap on the wrist. Someone else here used the horrible term 'best practice' but it's applicable here IMO. Even if they've not been lax, their system protection was not adequate in this case and *someone* still has to pick up the bill to protect the people who had their information leaked.

    2. The Nazz Silver badge

      Re: Should companies be on the hook for criminal employees' doings?

      From this, and previous, articles it describes Skeltons very job as being the/an IT Auditor.

      By default, i expect this to mean he has (oops had*) unfettered access to the entire IT system, had the responsibility to test every procedure and recommend/implement changes (presumably improvements). Difficult to see how he could do his basic job otherwise.

      * If he has somehow maintained access to their systems, are Morrisons liable for further events or can they continue to rely on the defence of "It was a rogue employee that did it". Surely not.

      The primary cause of it all was for disciplining a single employee (out of some 100,000) for misappropriating company resources. Why just one? I'd assume a minimum of 1,000 were doing the same.

      1. Anonymous Coward
        Anonymous Coward

        Re: Should companies be on the hook for criminal employees' doings?

        > Why just one?

        His report probably pointed out some truths which management wanted re-written. Or Else.

      2. Aristotles slow and dimwitted horse Silver badge

        Re: Should companies be on the hook for criminal employees' doings?

        Considering the size of Morrisons as a group, if he was, as you say "the" IT auditor, then there is something VERY wrong with how Morrisons are internally audited. No one auditor should ever have that much access - solely; and Morrisons should have been more vigilant in understanding the risks, and in implementing technologies and strategies such as UAC and DLP.

        So yes, they are absolutely liable because they have been negligent in their responsibilities in regards data access rights, security and handling.

      3. Down not across Silver badge

        Re: Should companies be on the hook for criminal employees' doings?

        By default, i expect this to mean he has (oops had*) unfettered access to the entire IT system, had the responsibility to test every procedure and recommend/implement changes (presumably improvements). Difficult to see how he could do his basic job otherwise.

        Not necessarily. Auditors often have no access to the systems at all and work with people who do, to gather the evidence to support the audit. This applies both to internal and external auditors.

    3. katrinab Silver badge

      Re: Should companies be on the hook for criminal employees' doings?

      It is always people who leak data, not companies who are inanimate objects which are incapable of doing anything.

      1. Anonymous Coward
        Anonymous Coward

        Re: Should companies be on the hook for criminal employees' doings?

        @ "It is always people who leak data", I disagree, data can also leak via hacking, bad security practices and general stupidity i.e. incompetence for which they should have insurance.

        The company is the one who collected the data therefore they are responsible for it's safe keeping, if it gets away from them then they are the one who has failed and should be held responsible, I have heard the rogue employee excuse far too often in the press for it to still be a surprise to anyone.

        If it is not a surprise and it still happens then due diligence has not been followed by the company, hence company fail.

        The exposing employee is seperately guilty of a number of computer crimes but the company's security practices allowed it to happen so they must share a portion of the blaim.

        Disgruntled employ runs amok, heard this before?

        1. katrinab Silver badge

          Re: Should companies be on the hook for criminal employees' doings?

          Hacking is done by people. Crap security that allows it to happen is done by people.

          The law may say that a company is a person in its own right, but that is mostly about property ownership so you don’t have to change the title deeds, contracts and so on every time the people in a company change [1], but in reality, a company is just a group of people who get together for a particular purpose. So this means that a person or people within a company do something as part of their work for the company, the company is liable, even if other more senior people in the company prohibited it. The legal authority for this is actually a Morrisons case - Mr AM Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11. https://www.supremecourt.uk/cases/uksc-2014-0087.html

          [1] As an example, in England, a partnership is not a legal person, so every time the partners change, you do have to update all the contracts etc every time the partners change. A Scottish partnership is a legal person, even in England, so you don’t.

      2. Ochib

        Re: Should companies be on the hook for criminal employees' doings?

        That's one of those irregular verbs, isn't it? I give confidential security briefings. You leak. He has been charged under section 2a of the Official Secrets Act.

  3. Woodnag

    Liable

    It's really not difficult to limit access to data, and not difficult to lock out portable media on computers with the access.

    Inconvenient, yes.

    1. Vulture@C64

      Re: Liable

      It's not - especially where the staff are managing personal information in the payroll department. Different policies for different departments, depending on risk assessment.

      1. Anonymous Coward
        Anonymous Coward

        Re: Liable

        Finding an employee criminally liable for an act being sufficient to remove an employers liability is a relatively low standard for data breaches in my opinion.

        My understanding is that he had legitimate access to the information for his job (i.e. no hacking etc required to get access to the data) and went "rogue".

        If so, in my opinion, the employer should have to demonstrate industry standard practices were followed for training, systems and procedures to ensure data was handled correctly and the employer was taking steps to reduce the risk of disclosure. I would be tempted to err on the side of best practices rather than just standard practices.

        1. Gordon 10 Silver badge

          Re: Liable

          But I think thats not the point in question - and it should be.

          It's worth noting that Supreme Court Appeals are usually for clarifications on points of law - rather than the facts of the case, so I suspect the wrong aspects are being appealed.

          Whats being appealed is the applicability vicarious liability in this case, NOT whether Morrisons sufficiently restricted the access of their IT auditor - which is what they should be judged on. If they made reasonable attempts to provide the auditor with a minimum level of access for his role (say logs only), rather than say SA or equivalent, then I don't think they have a case to answer for damages. If they just shrugged and gave him SA then throw the book at them.

    2. OhDearyMe

      Re: Liable

      I suspect that the case hinges on the fact that the employee in question was an IT auditor. To remove their elevated access would render them unable to do their job, it would be constructive dismissal even if they did not actually fire him.

      Is it reasonable to (effectively) fire someone for a relatively minor disciplinary offence because of what they theoretically might do if they go rogue? Almost certainly not as ruled by many industrial tribunals over the years.

      So they may argue that the law put them between a rock and a hard place. Unless they have actionable intelligence that he was going rogue - that would stand up in a tribunal - they were kinda stuck.

      I don't want companies to be able to escape liability for data leaks but I do not think this case is quite as simple as that. As always the specifics of the case are what a court should rule on and I think that these are interesting specifics that are worth considering in the highest court. The legal question is - does data protection law require employers to over-react to minor disciplinary matters where an employee might foreseeably have access to personal data? That affects a lot of us in the IT industry and would have a serious impact on the employment rights of anyone with such access.

    3. phuzz Silver badge

      Re: Liable

      "It's really not difficult to limit access to data"

      It's easy enough to limit the access of an average employee, but what if (for example) they're the sysadmin in charge of backups? Or, as in this case, an auditor?

      That said, if someone requires a high level of access, then the next best thing would be to log their actions as closely as possible. However, that only helps identify them after the event, it doesn't stop them from copying all payroll data on to a USB stick.

  4. revenant Bronze badge

    Liable?

    Of course they are.

    On another point - it's nice to see that the toe-rag got 8 years. That level of malice against his own colleagues is appalling.

    1. Anonymous Coward
      Anonymous Coward

      Re: Liable?

      I never understood this kind of action. Lose/leave a job, and hopefully get a new one. Cause millions in damages in anger, and go to prison.

      Hmmm, why is it some people find it hard to make a choice with those two options.

      1. Anonymous Coward
        Anonymous Coward

        Re: Liable?

        >I never understood this kind of action.

        Neither have I but mental institutions and prisons are full of nutters I don't understand.

        1. Christoph Silver badge

          Re: Liable?

          As is the Palace of Westminster.

        2. LDS Silver badge

          "mental institutions and prisons are full of nutters I don't understand"

          The difference is usually those in mental institutions had no choice - those in prisons usually had.

          1. John Stirling

            Re: "mental institutions and prisons are full of nutters I don't understand"

            "The difference is usually those in mental institutions had no choice - those in prisons usually had."

            An interesting and conventionally accepted point of view which neuroscience would perhaps somewhat challenge.

            If breaking the law is irrational, because the punishment outweighs the benefit, and if expecting to get away with it is irrational, then almost by definition the crime was an irrational act, and therefore the criminal was in some way mentally deficient in their decision making.

            We are now reaching the point where we know that there is a quantitative and qualitative difference in the brain chemistry of people who struggle with their weight, people who become addicted, people who are late, people who commit antisocial behaviours, including crimes.

            The difference between a mental institution and a prison is one of degree not kind, and the differentiation is arbitrary, inconsistent, and varies with time.

            1. LDS Silver badge

              Re: "mental institutions and prisons are full of nutters I don't understand"

              No. Some criminal are also mentally ill - but not all criminals are mentally ill. While most people in mental institutions never had a choice about their lives, many criminals had - they deliberately chose their path because they saw personal advantages in that.

              Taking the wrong decision is not a "mental deficiency", sorry - sure, we are not all alike - but a real mental illness is a true different thing. It is also true that in the past many behaviours were considered illnesses and now not - as a scientific approach took place instead of a social one.

              Spend some time with those people, you'll learn the difference.

              And I'm not saying a mentally ill persons can't be dangerous to themselves or others, just you can't put them on the same plane of criminals.

      2. Doctor Syntax Silver badge

        Re: Liable?

        why is it some people find it hard to make a choice with those two options.

        "I won't get caught."

        That must be the thinking.

        1. richardcox13

          Re: Liable?

          > "I won't get caught."

          And thus why ever escalating punishment ("three strikes", ...) fails to reduce crime. If one does not think one will get caught the potential penalty does not matter.

        2. Joe Harrison Silver badge

          Re: Liable?

          I am not sure "I won't get caught" is what motivates something like this. To me it seems more like "my enemies have stuck a blow to me, but I am mightier than they and the world shall see it when I strike a more damaging return blow."

          In fact he sounds perfectly capable of anonymising via Tor or whatever, but that might not have worked emotionally if it would not have demonstrated his power.

      3. Anonymous Coward
        Anonymous Coward

        Re: Liable?

        > Hmmm, why is it some people find it hard to make a choice with those two options.

        There are more options than just those two. However the people you see caught are the ones who didn't make it, thus got stuck in the 2nd of the choices you listed.

  5. C. P. Cosgrove

    An interesting case, Watson !

    If I have read the article correctly then this appeal is around the extent of 'vicarious liability' in which case it has much wider implications than just the Morrison's case. The principal that 'an employer is liable for the acts of his servants' is firmly held in civil and commercial law and, having gone to the Supreme court, if Morrison's win this then everybody else in roughly analagous positions will be quoting this case as precedent.

    Interesting indeed.

    Chris Cosgrove

    1. moiety

      Re: An interesting case, Watson !

      Interesting and a bit scary. Disengaging companies even further from liability for their actions would be very, very bad.

      1. Gordon 10 Silver badge

        Re: An interesting case, Watson !

        Disagree. Depends on the circumstances. Companies should not be punished for the actions of their employee's if they take reasonable steps to prevent that employee from acting badly.

        1. Dr. Mouse Silver badge

          Re: An interesting case, Watson !

          Punished: No.

          Held liable for damages caused to a third party: Yes.

          There's a big difference. If a company has stored personal data and it is leaked by an employee (or, TBH, in any way including hacking etc) they should be liable for the damages/costs/etc of the thrid party/ies whose data has been lost. This should not be dependent upon whether they have taken reasonable precautions. If they hold that data and "lose" it, their actions (in holding that data) have cause damage/loss to the third party and they deserve compensation.

          If a company has not taken all reasonable precautions to secure that data, it should also be liable for punitive damages (i.e. punished) over and above the tangible losses incurred by the third party.

          1. Dr. Mouse Silver badge

            Re: An interesting case, Watson !

            In fact, thinking on it further, they should be held joint and severally liable along with the parties who committed the offence (where it was from malicious action by a bad actor).

            By making it this way, the company could be forced to pay out, but they could take action to recover that (as far as possible) from the other parties involved (hacker, rogue employee etc).

          2. Intractable Potsherd Silver badge

            Re: An interesting case, Watson !

            Being held liable *is* a form of punishment. It has measurable financial and reputational effects, whether it is a minor RTA or a major incident.

            (I don't know why I am so caught up in this! My sympathies are entirely with the people whose data was stolen, but it just seems inequitable to make an employer liable for the loss caused by a malicious actor if (and only if) the employer followed best practice at the time.)

    2. Anonymous Coward
      Anonymous Coward

      Re: An interesting case, Watson !

      > If I have read the article correctly then this appeal is around the extent of 'vicarious liability' in which case it has much wider implications than just the Morrison's case.

      Where does the chain of responsibility and therefore vicarious liability stop? If they lose, can Morrisons simply argue (in the class action case) that they were compelled to collect personal information by tax and employment law and therefore the Government are liable?

      Oh no, wait, Governments never take responsibility for the consequences of laws they pass. Carry on as you were.

  6. GrapeBunch Bronze badge

    It seems to me that if the company took the reasonable precautions, then they should not face criminal charges. But they should remain civilly liable for the release of info that they collected. Unless the info was released by a Higher Power, such as the government. An employee is not a Higher Power. I don't understand the kerfuffle. I guess that's part of the reasons why IANAL.

  7. Peter Prof Fox

    It's the management's job...

    to steal from employees by subverting the pension fund. Obviously an enterprising employee can't be given the same protection.

  8. The Original Steve

    Bright

    Clearly not the brightest bulb is he.

    Went to the effort of Tor, but then send the content to the papers - I assume via email or another way that was traceable.

    Why he didn't do it from a ProtonMail account via Tor is anyone's guess.

    1. Aristotles slow and dimwitted horse Silver badge

      Re: Bright

      Because Protonmail is only fully end to end secure and encrypted if you send your email to another Protonmail user - via their homecooked webmail portal.

  9. Alan Johnson

    If a company is liable even when it took reasonable precautions (whatever that might mean) and an employee acted both against company policy and criminally then this is a risk which companies cannot mitigate against whatever they do. This seems grossly unfair to me. The idea that any system can be developed which is prove against employees acting deliberately malicously and criminally is complete fantasy and if the decision stands as is it simply means that a company is always liabel however extreme and complete the precautions they take are. The effect of this is that the only 'defence' is insurance, which will be expensive and many private individuals/small companies/charities will be at risk because of someone acting malicously and with a grudge who is willing to take the consequences of acting criminally in the sure knowledge that even though they are responsible for a criminal actions their employer will be liable.

    1. Charlie Clark Silver badge

      I think this is about the degree of liability and whether sufficient precautions were indeed taken; and in the case of someone in the payroll department being able to dump personal details so easily, this does not seem to be the case.

      Companies find it often very easy to pin the blame on "rogue" individuals. The banks did this over LIBOR and Wall Street apparently over ever had a few "rogue" traders during the financial crisis.

    2. Dr. Mouse Silver badge

      The problem is that there are 2 sides to the liability.

      The first is to "force" companies to take reasonable precautions and do their utmost to protect personal data.

      The second side is to compensate those affected. A data breech could easily lead to serious problems for those whose data has been leaked. In this particular case, I see this as the more important of the 2: The staff involved will have had a lot of work to do to protect themselves from the leak, could well have more indefinitely in the future, and could well have suffered hardship from it, too. They gave this information (probably without any choice in the matter) to their employer and can reasonably expect it to remain private. Whether the employer took all reasonable precautions or not, they deserve to be compensated for anything resulting from this loss.

      Let's consider a trivial case: Your friend needs a laptop to do some work, so you lend him your expensive, top end one for a few days. He keeps it at home in a locked drawer when not in use, and his house is secured (locked and, potentially, alarmed). However, while he is out, someone breaks in and steals this laptop.

      Would you expect him to replace it? Unless I had insurance which would be valid in this case, I certainly would (and even with insurance I may expect him to stump up the excess). While I would be sympathetic, I would have loaned him something of value for his benefit (not my own) and would expect it returned in one way or another. He would, in the terms of this article, be liable for the loss (IMHO).

    3. John Stirling

      Company liability

      If the company had taken sufficient precautions the crime as it stood would not have been possible.

      Justification for being able to a) dump the database, b) store to USB?

      Nil

    4. Intractable Potsherd Silver badge

      Part of the problem is that, if vicarious liability goes too far, a disgruntled employee could do something that will bring down the entire company due to inability to afford the damages. This could be worth risking/going to prison for, in some people's minds. There has to be some level of reasonableness in the test - as an extreme example, consider a zero-day exploit that the disgruntled employee knows about, but againt which there is currently no defence: it would be unjust to hold the company liable in this instance. Best - not bleeding edge - practice should be the guiding principle for whether the company had the proper safeguards in place - security, as we know, is a trade-off against convenience.

      1. Dr. Mouse Silver badge

        If someone burgled or burned down my house, that could bankrupt me. If I crashed my car into a priceless historic building or a crowd of people, the damages in a court case could bankrupt me.

        That's why I have insurance.

        If a companies warehouse was burgled, even as an inside job by disgruntled employees, that could force them out of business. They have insurance for that. Why not to cover against claims from the loss of data? Or should the employees have to cover the losses themselves?

        1. Intractable Potsherd Silver badge

          I fully agree - I don't know if the insurance busuness has this type of policy (yet), but it looks as if there will soon be a market for it. The question is, would anyone trust commercial interests to be properly covered, or do we need personal cover?

        2. Mike Moyle Silver badge

          "If a companies (sic) warehouse was burgled, even as an inside job by disgruntled employees, that could force them out of business. They have insurance for that. Why not to cover against claims from the loss of data? Or should the employees have to cover the losses themselves?"

          I'm sure that, before they issued insurance against such threats, the insurance companies would insist on examining the company's IT security precautions, maybe bringing in an IT auditor to...

          Oh. Wait.

          Hmmmm... Tricky...

      2. Charlie Clark Silver badge

        Part of the problem is that, if vicarious liability goes too far, a disgruntled employee could do something that will bring down the entire company due to inability to afford the damages.

        Not in the UK it couldn't. And even in the US, where payouts can be unlimited, this rarely happens and even it's likely, Chapter 11 is a handy card to play: look at the utility in California that played it over the forest fires.

        But criminal liability is a separate issue from any form of reparation. The lack of it can be seen in the farce currently being played out in Germany over VW's egregious rule-breaking: public companies can in Germany not be held criminally liable. Difficult to argue in favour of that I think.

        1. Intractable Potsherd Silver badge

          I don't agree. Whilst large companies might be able to absorb mass damages, small companies could end up going to the wall - it has happened in the past.

          I am fully aware that criminal and civil aspects are separate, and I have no comment on the criminal aspects of the case. I *do*, however, think that vicarious liability is a poor tool for dealing with situations where a malicious actor deliberately does something that couldn't reasonably be mitigated against*.

          *Note that I don't know whether Morrisons security met with best practice - I haven't read anything either way.

  10. Alan Johnson

    liability whatever precautions are taken is a bad idea

    If a company is liable even when it took reasonable precautions (whatever that might mean) and an employee acted both against company policy and criminally then this is a risk which companies cannot mitigate against whatever they do. This seems grossly unfair to me. The idea that any system can be developed which is prove against employees acting deliberately malicously and criminally is complete fantasy and if the decision stands as is it simply means that a company is always liable however extreme and complete the precautions they take are.The other aspect of this is that the collection of private data is not something that can be avoided in most areas of life and is inevitable in providing many services. The effect of this is that many organisations of commercial and charitable nature will be subject to potntial liability which they cannot avoid whatever actions they take. The only 'defence' is insurance, which will be expensive and many private individuals/small companies/charities will be at risk because of someone acting malicously and with a grudge who is willing to take the consequences of acting criminally in the sure knowledge that even though they are responsible for a criminal actions their employer will be liable.

    1. Doctor Syntax Silver badge

      Re: liability whatever precautions are taken is a bad idea

      The problem with not holding the company liable in civil law is that there's then no redress for those injured. Where these are numerous it's not going to be possible for them to obtain it from the perpetrator. The real difficulty in this case is that the employees affected are collateral damage from an attempt to injure their employer.

      I wonder if there are actual damages to any employees.

    2. tiggity Silver badge

      Re: liability whatever precautions are taken is a bad idea

      The crux will be were the precautions reasonable?

      Certainly allowing write access to external media would be very poor practice when sensitive data is being accessed.

      Lots of small companies up and down the country where policy prevents a user using (i.e. nt even reading) / and definitely bar writing to a USB stick (or whatever other external device) they conect to thier work PC).

      Sensitive data and external device usage should always ring alarm bells, and if there is a legit reason, then normally you would ensure close monitoring to prevent abuse.

      There is no way to totally protect data, but if basic safeguarding is neglected then company should bear some responsibility - a bit like my house insurance, if nobody in the house and house left unoccipied with doors unlocked, then insurance company will not pay out if it gets burgled as house owner did not take sufficient precautions.

      Safeguarding sensitive data can be difficult and expensive, but Morrisons are not exactly a small, poor company, so no excuse for shoddy practice IMHO.

  11. Doctor Syntax Silver badge

    There is, of course, another way to look at this.

    If his object was to punish the company for a real or perceived slight then the Supremes do his job for him if they allow the employees' claims to succeed.

    There's a conundrum!

    1. JimC Silver badge

      > If his object was to punish the company

      Agreed. It makes it awfully easy for the bad actor to damage his soon to be former employer.

    2. Dr. Mouse Silver badge

      "If his object was to punish the company for a real or perceived slight then the Supremes do his job for him if they allow the employees' claims to succeed."

      But if it's ruled the other way, then the same damage exists, but it's the employees who are punished instead of the company.

      1. Intractable Potsherd Silver badge

        There is a saying that we learn early in law school - "hard cases make bad law". Whilst the saying is overused, I have always taken it to refer to a case that will set a precedent that can reasonably be foreseen to be abused regardless of the decision. This is one such situation - either it will make companies more exposed to harm, or it will leave uninvolved others vulnerable. Whilst I have not had a great deal to do with commercial law since I was an undergraduate some 20 years ago, I do know that, in cases of tort, the availability of insurance is often the deciding factor, so the CoA were simply following previous precedent.

        1. Anonymous Coward
          Anonymous Coward

          There's no good answer to this one. Punishing the company for his actions isn't right, nor is it right that genuine damages to the data subjects would go uncompensated.

          Perhaps a pragmatic approach would be for the damages to be treated as separate liabilities (on a percentage basis for blame as attributed by the judge), but with Morrissons having to front the damages attributable to their ex-employee as a loan if he is unable to pay. Morrissons may end up out of pocket, but the actual perpetrator ends up with a garnished income that would follow him around from then on - making him face the financial penalties as well as the criminal penalties for what he's done. Not a perfect answer by any means, but better than just hitting Morrissons.

          1. Dr. Mouse Silver badge

            That's why I mentioned joint and several liability in another post. If I understand it correctly, that'd mean Morrisons would have to pay out (as if fully liable) but they could recover that amount (or as much as possible) from the perpetrator.

            1. Intractable Potsherd Silver badge

              That is a good suggestion. Of course, the thief will never again have a job that will have significant earnings so nothing will accrue to Morrisons, but it will mean that his life is endlessly miserable, with no way out of his financial hole.

  12. EnviableOne Bronze badge

    both the bad actor and the employer are at fault.

    The auditor committed a crime by taking and exposing the data

    the company failed to take adequate precautions with special category data to prevent its theft and misuse and as such are in breach of DPA.

  13. steviebuk Silver badge

    Thinking about it...it's a tough one

    As has been mentioned, if you say "No they can't be held responsible." then all breaches could be just blamed on a rouge employee. But if all reasonable checks and protections were put in to stop data being stolen, but that rogue employee managed to discover a way round said restrictions, then surely you can't blame the company. Especially if those holes weren't massively obvious.

    Don't spies operate on a friendly bases. As in, keep your enemies close, hide in plan sight. Be friendly, act trustworthy so that no one suspects. Would you say the FBI is responsible for Robert Hanssen's actions or was that just a man in a position of trust who knew how to exploit that position.

    If Morrisons did everything they could to avoid such a lose yet the person managed to find the tiniest of holes, then surely you can't blame Morrisons.

    1. Swarthy Silver badge

      Re: Thinking about it...it's a tough one

      Nah, I'm thinking you can blame them. As I learned from Root Cause Analysis, it is Management's (ergo, the Company's) fault.

      Even if, as in this case, it was a rogue employee, who hired him and gave him that access? Management. Who crapped on his morale to the point where it seemed to him that it was worth prison to damage the company? Management.

      Even if it was just one instance of correcting undesirable behaviour, they hired someone that would flip their shit at one disciplinary action; thus it's their fault.

      The causes for something like this are in hiring, training, and/or working environment; and management controls all of those.

      That is why long-standing law and precedent holds corporations liable for the actions of their employees.

      1. Intractable Potsherd Silver badge

        Re: Thinking about it...it's a tough one

        The trouble is, it waters down personal responsibility. In your Root Cause Analysis, the individual is invisible - it is always somebody else's fault. The real reasons why somebody did something that led to bad things might be absutely nothing to do with the work environment. In this case, the Root Cause was that a person took a decision to screw over his colleagues because he'd been disciplined.

        1. Down not across Silver badge

          Re: Thinking about it...it's a tough one

          the Root Cause was that a person took a decision to screw over his colleagues because he'd been disciplined.

          Following the OP's train of thought: Who disciplined him? The management.

  14. aje21
    Facepalm

    Insurance

    From what I remember reading about this case it was nothing to do with the employer being at fault, or that they could have prevented it happening, it was that they were liable and so should have suitable insurance in place to pay out when it happens.

  15. The Nazz Silver badge

    I trust that Morrisons lose and it sets a defining precedent.

    Of course, it should then also apply to such as those who incorrectly e-mailed out the Journo's details on the porn age thing : https://www.bbc.co.uk/news/uk-47962405

    And as Swarthy says above, it is Management's failings that are the real fault not the rogue/hapless employee that does the actual deed.

    As has been said multiple times, it is only when govt (national AND local) employees, especially the highly remunerated "Managers", suffer the repercussions themselves will things start to improve.

    And should such events occur in the future, and Insurance pays out, then recover the excess and increased premiums from those actually responsible.

    1. diodesign (Written by Reg staff) Silver badge

      Re: "incorrectly e-mailed out the Journo's details on the porn age thing"

      FWIW we also got the same mass-CC'd email from the UK government, and I'm told it was sent by someone within White Hall with the initials K. Hunt.

      Cue a lot of hacks reply-all'ing with "Thanks, K Hunt"

      C.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019