back to article Morrisons tells top court it's not liable for staffer who nicked payroll data of 100,000 employees

Brit supermarket Morrisons is arguing in the Supreme Court that it shouldn't be held vicariously liable for the actions of a rogue employee who stole and leaked the company's payroll. In a world where nobody's quite sure where data protection law ends and traditional civil law torts begin, the outcome of the case may well …

  1. tiggity Silver badge

    Depends if decent efforts at data security made by Morrisons

    It's all about taking reasonable steps to keep data secure

    Big red flag that auditor could plug in a USB stick and copy data, external device use would be expected to be locked down & with sensitive data a mechanism in place to verify valid reason to copy that data.

    Just like my house insurance, if I go out and leave house door unlocked, if I am burgled whilst away my insurance will not cover the loss as I did not take reasonable security measures.

    So if Morrisons were lax on security procedures, then some of the responsibility must lie with them. Just about any company with a security clue routinely locks down USB stick (& similar) access without having to jump through a lot of hoops, as a matter of basic security on all machines (never mind machines with access to sensitive stuff)

    1. GnuTzu Silver badge

      Re: Depends if decent efforts at data security made by Morrisons

      And, there are companies that now sell analytics and AI to track anomalous behavior and ferret out the bad inside actors. To what degree will companies be obligated to use these?

      I'm kind of on the fence about this. Inside the work place, our consent is part of our agreement to work towards a mutual profit so that we can actually get paid. But if we become conditioned to such consent, then to what degree will we be willing to consent to that level of tracking outside the work place. Oh wait...

      See how I'm on the fence. Businesses have some responsibility to insure that their workers are acting according to policy. But, we'd like some control of our data outside the work place, and we'd like limits on how those same businesses use the same type of technology to track us when we're not at work.

      Which road to hell are we hurtling down? Anyone got a fix for this?

      1. DontFeedTheTrolls Silver badge
        Headmaster

        Re: Depends if decent efforts at data security made by Morrisons

        "Businesses have some responsibility to insure that their workers are acting according to policy"

        If they were to "insure that their workers..." then their insurance policy would pay out for their losses from bad workers.

        If they "ensure that their workers are acting according to policy" then they wouldn't be in this shit now as they'd have taken the reasonable steps in an attempt to prevent their workers acting against policy.

        This pedantry pretty much sums up this case - did they take sufficient steps to absolve themselves from liability?

        1. GnuTzu Silver badge

          Re: Depends if decent efforts at data security made by Morrisons

          Fair call. I should have caught that. I stand suitably embarrassed.

          1. DontFeedTheTrolls Silver badge
            Pint

            Re: Depends if decent efforts at data security made by Morrisons

            We all make typos occasionally, have a pint for standing up.

        2. Tom 7 Silver badge

          Re: Depends if decent efforts at data security made by Morrisons

          Stop making it look like the workers were to blame. I would imagine the security was set at a level so the shit management could demand details on anything at a moments notice and the workers would have to be the ones to provide that so full worker access was necessary. I've implemented 'authorised need to know' access at a couple of places only to have those higher up ride roughshod over it because 'you will be fired if you dont'.

      2. mark4155
        Holmes

        Re: Depends if decent efforts at data security made by Morrisons

        Sitting on the fence is akin to being middle of the road. You risk being run over in either direction. Toodle Pip.

      3. ATeal

        Re: Depends if decent efforts at data security made by Morrisons

        Also:

        "dubious stuff detected, because it happened" - but hey it'll stop ... no wait, it'll only stop big multi-dippers, and if you go AI, have loads of false positives and miss stuff too.

    2. Brian Miller

      Re: Depends if decent efforts at data security made by Morrisons

      At some point, somebody has admin privileges. If your admin is intent on committing criminal acts, what can you, as an employer without that expert knowledge, do? Also, we don't know the hardware or OS. A USB port suggests commodity hardware.

      The "Who, Me?" column details many ways that many among us have covered our very bare asses. Now we have the case where a malicious admin, with of course privileged access, has copied off data. How do those with lesser expertise monitor those with far greater expertise?

      1. DontFeedTheTrolls Silver badge
        Boffin

        Re: Depends if decent efforts at data security made by Morrisons

        "At some point, somebody has admin privileges. If your admin is intent on committing criminal acts, what can you, as an employer without that expert knowledge, do?"

        I work in a place where certain privileged pieces of work are performed under "four eyes" - the policy says you need two people present when the change is made. The admin accounts required are secured against use and must be "checked out", and there's an audit trail of the whole process.

        It doesn't guarantee against rogue employees, but it does demonstrate an attempt to prevent an individual rogue using certain admin privileges in unintended ways. It isn't practical for every privilege, however that is a risk assessment each business must make.

        1. Anonymous Coward
          Anonymous Coward

          "Four Eyes" policy

          Specifying the number of eyes would be against our Inclusive Workplace Policy.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Four Eyes" policy

            "Specifying the number of eyes would be against our Inclusive Workplace Policy."

            Could your instruction manual specify 1x Admin and 1d3 Witnesses, if your company has four people who are blind in one eye?

            And what about people who are legally blind so not allowed to drive etc but who can see more than just dark and light? Do they count as no eyes, two eyes, or some value in between?

        2. Tom 7 Silver badge

          Re: Depends if decent efforts at data security made by Morrisons

          Most people need access to single accounts as part of their day to day job and its quite easy to set up something that gives you access to half a dozen accounts at any one time to focus searches on the right record and prevent those with that level of access from dumping all the records in one go. And a trigger for when someone tries to get a lot of data is fun too!

        3. ridley

          Re: Depends if decent efforts at data security made by Morrisons

          Nor is it practical in small companies so presumably they would be held at a lower level of redponsibility.?

        4. TimB

          Re: Depends if decent efforts at data security made by Morrisons

          Seems to me that the granting of privileges is the line where they're acting on behalf of the company. Presumably, I couldn't simply walk into Morrisons head office with a USB stick and do what this guy did. He's used privileges granted to him by Morrisons specifically for the purpose of accessing that data. He is responsible for his behaviour while he has that acces, but Morrisons are ultimately responsible for the breach because they gave him the access.

      2. Doctor Syntax Silver badge

        Re: Depends if decent efforts at data security made by Morrisons

        "A USB port suggests commodity hardware."

        Epoxy is also a commodity.

        1. Anonymous Coward
          Anonymous Coward

          Locking down a PC

          In the end you have to rely on the integrity of employers. All businesses rely on customer data to some degree and if you are a small business it is nearly impossible to lock down data to protect from rogue employees - let alone external people trying to hack into your business. Data Security is a full time job for a pro.

          Unless you disable access to the internet/printers/computers, prevent people from bringing in their phones/tablets/laptops/cameras and search people as they enter and leave the premises then you are at risk.

        2. LeahroyNake Silver badge

          Re: Depends if decent efforts at data security made by Morrisons

          Glueing up the USB ports makes fixing Windows issues / reinstalls a pain though lol

          1. tim 13

            Re: Depends if decent efforts at data security made by Morrisons

            Also plugging in mice and keyboards...

      3. simonlb Silver badge

        Re: Depends if decent efforts at data security made by Morrisons

        And this is part of the problem - being able to trust that the person with the Admin privileges won't abuse that trust, or that they haven't been given higher access rights than they should have which they then abuse and take advantage of.

        In my former role my team and I used a service account which we believed had Server admin rights to the Estate to perform our job roles; it was only after a security audit that we found out it had been wrongly given Enterprise Administrator rights instead. We had been using that account for over two years but had never thought to check what rights the account had as it had been created by the relevant team under a standard account request ticket with the access permissions clearly specified.

      4. MadAsHell

        Re: Depends if decent efforts at data security made by Morrisons

        Quis custodiet ipsos custodes? The Romans understood this question 2k years ago.

        Just because you have to give someone God-mode access doesn't mean that you don't monitor and record their activity. Isn't that why we like the idea of always-on bodycams for USA Police?

        It's a cop-out to throw your hands up in the air and say 'I don't know enough to control my admins'. And you should be held accountable and liable if that's what you've done.

    3. Aqua Marina

      Re: Depends if decent efforts at data security made by Morrisons

      A simple analogy, if a Morrisons cleaner ends his shift, picks up his mop, goes out into the street and starts bludgeoning passers-by to death with it on his way home, are Morrisons vicariously liable because they didn't lock up the mop?

      The crux of the matter is not security. It's whether you can be held liable for the criminal actions of someone else.

      1. EnviableOne Bronze badge

        Re: Depends if decent efforts at data security made by Morrisons

        thats not the case at all

        the case is wether Morrisions are liable to the employees for loss of their data

        the DPA 2018 is clear:

        A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

        Morrisions allowed an unauthorised disclosure of the employees information from their systems, by failing to stop the Auditor from downloading and exiting the building with the employee payroll records.

        open and shut

        1. Persona Bronze badge

          Re: Depends if decent efforts at data security made by Morrisons

          It's far from open and shut. If the IT auditor was tasked with investigating that system then he was authorised to access the data. Even in a very tightly controlled environment once he has that data using his necessary privileges as an auditor there are a multitude of ways he can get it out the door including loading it onto and encrypted USB stick or an encrypted disk on his laptop. At a minimum he could simply print it, put it in his briefcase and walk with it.

          1. Kevin Lomax

            Re: Depends if decent efforts at data security made by Morrisons

            Or upload it into OneDrive, iCloud, Google Drive, Dropbox, Box or any other online file archiving system.

            Or mail it to yourself via Hotmail, Gmail etc.

            Or print it off, then take photos and OCR them.

            Point is - if someone has access to the Internet *and* access to the data by legitimate means, then there's not a lot you can do about data leakage if someone really wants to do it. Things like rights management can cover off some of that, but if you're pulling data from the HR database into an Excel spreadsheet then that'll get bypassed.

            The answer of course is to treat the data like the NOC list in Mission Impossible!

            1. TimB

              Re: Depends if decent efforts at data security made by Morrisons

              There's no legitimate reason for cloud storage or webmail providers to be accessible from the same system as the payroll data. USB locks are readily available and easy to install. Something like payroll data should be easily auditable for any access or printing.

              You're right, it's almost impossible to actually stop somebody who is determined to get data out. That doesn't mean you don't bother putting in any precautions at all.

        2. jabuzz

          Re: Depends if decent efforts at data security made by Morrisons

          Right so if the cleaner ram raids your data centre (those with long memories will remember the University of Durham had theirs ram raided twice) and steal this months pay slips as they are being printed out then the firm is vicariously liable?

          1. Cav

            Re: Depends if decent efforts at data security made by Morrisons

            Yes, we specifically time our printing of sensitive information for when someone will be sitting on the printer to collect it. Particularly sensitive print jobs go to printers which only print when authorized users sign in.

        3. Cynical Pie

          Re: Depends if decent efforts at data security made by Morrisons

          doesn't matter one iota what the DPA 208 says, this case is being considered under the 1998 Act

        4. Alan Johnson

          Re: Depends if decent efforts at data security made by Morrisons

          Morrisions allowed an unauthorised disclosure of the employees information from their systems, by failing to stop the Auditor from downloading and exiting the building with the employee payroll records.

          open and shut

          If it was open and shut then it would not be in teh appeal process at the moment.

          The issue with your argument is the statement: Morrisions allowed an unauthorised disclosure of the employees information from their systems, by failing to stop the Auditor from downloading and exiting the building with the employee payroll records.

          It is quite clear that Morrisons did not allow this action at all, on teh contrary it is clear that they did not allow it and sought to prevent it but that measures to prevent it were inadequate in this case.

          The legal issue to me is what level of precautions and security is sufficient to remove liability from Morrisons. Personally I think an employer shopudl only be liable for the actions of an employee if the employee actions were forseeable and the lack of precautions amounted to recklessness.

          This is just a basic principle of fairness, the person who is responsible for criminal actions, is teh criminal themselves and people who just happened to be in the wrong place atteh wrong time and failed to prevent the criminal actions. If a reasonable level of care is taken, with a presumption that this is the case unless clearly otherwise, then third parties shoudl not be held responsible for failing to prevent a crime.

          1. TimB

            Re: Depends if decent efforts at data security made by Morrisons

            Morrisons provided him with credentials which gave him the privileges required to log in and access payroll data. Morrisons configured his PC so that he could just plug in a USB stick and copy whatever they wanted to it. Morrisons therefore allowed him, by the granting of privileges, to copy payroll data to a USB stick and walk out the door with it.

            1. Chris 211

              Re: Depends if decent efforts at data security made by Morrisons

              They certainly didn't. They gave him tools to do tasks he was allowed to do on possibly a change request. What a lot of pumped up armchair security bods fail to understand is that unencrypted USB access is a requirement for engineers for upgrading all sorts of systems or connecting to the console of all sorts of systems. The criminal is the person who decided without a change request or agreed task last to copy the data and upload it.

      2. Denshi

        Re: Depends if decent efforts at data security made by Morrisons

        But we can use a slightly different analogy because, by law, Morrisons are required to safeguard the data in their possession.

        If I give my valuables to a bank to lock in their safe and the Bank Manager (who has access to that safe because he's the manager) abuses his position to steal my valuables, can I sue the bank for failing to keep them safe? For failing to provide adequate security to prevent the manager from accessing my valuables in the safe without oversight?

        Your analogy is an employee using tools provided in the course of his employment to commit an external crime - the bludgeoning has nothing to do with Morrisons. This is Morrisons saying "Well, we're legally obliged to keep this data safe but in this case the crime was committed by someone we vetted and gave access to the data to, not some third party who breached out security, so it's not our fault".

        Morrison's shouldn't be held accountable for the theft of the data - they don't go down for Computer Misuse and Identity Theft and the various crimes I can pin on the employee. But they should be held accountable for failing to protect the personal information entrusted to them - which is something they have done, not their employee.

      3. StewartWhite

        Re: Depends if decent efforts at data security made by Morrisons

        Is the hypothetical mop a Morrison's own brand? If so, kudos to them for building a sturdy enough cleaning implement such that it can bludgeon many people to death.

        1. Andy The Hat Silver badge

          Re: Depends if decent efforts at data security made by Morrisons

          What if the label states "not suitable for bludgeoning"?

      4. gnasher729 Silver badge

        Re: Depends if decent efforts at data security made by Morrisons

        "A simple analogy, if a Morrisons cleaner ends his shift, picks up his mop, goes out into the street and starts bludgeoning passers-by to death with it on his way home, are Morrisons vicariously liable because they didn't lock up the mop?"

        If the cleaner starts bludgeoning customers in the store who are in his way and make it harder to clean the store, then it's related to the job and Morrisons is liable. If his job included going out into the street and cleaning it, also yes, depending on circumstances. And that's what the case is about: Did the criminal do this as something related to his job, or not?

      5. Anonymous Coward
        Anonymous Coward

        Re: Depends if decent efforts at data security made by Morrisons

        Too simple an analogy. Morrisons is not legally required to prevent the mop getting out onto the street. The are required to keep personal information from leaving their systems.

    4. Anonymous Coward
      Anonymous Coward

      Re: Depends if decent efforts at data security made by Morrisons

      But if this was an employee the result would be the same. So therefore who is 'the organisation'? If ICT lock down usb sticks and then an IT manager steals some data is the company still liable.

      Do they therefore need to use an external company to define security policy and if they do is that more secure or less.

      If someone had legitimate and minimal access to a system and they abused that access knowing it was wrong then they are responsible. It easy to think of an organisation as a bunch of people who sit around a table and make ultimate decisions on every aspect of the organisation right down to firewall rules. But obviously they don't - therefore you would have to say that the IT department are fully responsible for a rogue person stealing data?

      If they are personally responsible should the members of the team be on trial? It gets quite messy, quite quickly.

      1. Cav

        Re: Depends if decent efforts at data security made by Morrisons

        But many organizations do make decisions at a higher level than IT. I used to work for a company that refused to lock USB ports - because it "caused inconvenience'. That was an organizational decision. You and I know it was wrong. The rest of IT knows it was wrong but the organization made that decision. The same does apply to firewalls. "Why can't I get out to X? Unblock it at once."

        "If ICT lock down usb sticks and then an IT manager steals some data is the company still liable" Why does the IT manager have access to the data? Appropriate access should be maintained and monitored by someone other than the IT manager!

        1. Anonymous Coward
          Anonymous Coward

          Re: Depends if decent efforts at data security made by Morrisons

          "Why does the IT manager have access to the data? Appropriate access should be maintained and monitored by someone other than the IT manager!"

          So who? And if they steal some data then the same comment exists. It's not like someone on the board or executive suite is going to handle requests for unblocking company sanction USB devices.

    5. Ken Rennoldson
      FAIL

      Re: Depends if decent efforts at data security made by Morrisons

      I'm with you on this. The risk of people doing bad things is part of any decent organisations concerns and steps should be put in place to mitigate it. As always there's a trade off between oppression/bureaucracy/trust etc. But locking down USB ports and monitoring for excessive data transfers seems basic to me.

      I bet they protect against staff pinching stock!

    6. ThatOne Silver badge
      Holmes

      Re: Depends if decent efforts at data security made by Morrisons

      Indeed, the real issue here is not liability for employee actions; That's just the defense's strategy, deflecting the issue to something unrelated and easier to defend.

      The real issue is about reasonable effort spent securing that data: I don't know the details, but if the bad guy(s) just needed to remember bringing a USB stick to steal that data, the company is obviously guilty, since it didn't protect access and use well enough. If on the contrary it took a "Mission: Impossible" style raid to get to that information, the company can argue that data was reasonably secure.

      1. jabuzz

        Re: Depends if decent efforts at data security made by Morrisons

        He used a USB stick probably because it was convenient. I could write a javascript program that runs in a web browser that streams the data as a series of QR codes (or similar) that I record on my mobile phone as a video then turn back to a working file. Try protecting against that.

        1. The Original Steve

          Re: Depends if decent efforts at data security made by Morrisons

          No ability to launch any executable other than the application required (SAP or similar) on a device without Internet access and someone from IT babysitting you whilst you are on the device.

          Your move.

          1. Simon 15

            Re: Depends if decent efforts at data security made by Morrisons

            Take photographs on the screen displaying the sensitive data with your smartphone... It is very easy for anyone in a position of responsibility to steal data and there is only so much that can be done to stop them. There is always a trade-off between convenience and data security. At the end of the day people in senior positions have the responsibility and should be trustworthy. I agree that people should only have access to the information they need in order to do their job but you have to trust them at some point, they might just have a really good memory or could be writing stuff down using pen and paper!

            I call BS on all the comments saying remove USB ports, only allow a single application to run etc. Yes these things ARE possible and they MIGHT have prevented this data loss but come on, really? And what about the techies that will be performing these tasks in order to lock down the computer in the first place? Wont they be able to bypass the security they have implemented? Or do we simply *trust* them not to in pretty much the same way we trust them not to read our e-mail?

            In my personal opinion an employer should only be held accountable for the actions of an employee if they have been negligent in their security and supervision of said individual. If a driver working for Eddie Stobart decides to smuggle drugs into the UK using a company vehicle then they are guilty of the crime rather than the company even though it was the company vehicle being used. The driver was employed do do a specific job that had a responsibility and the company trusted him to perform this role. After interviewing him, obtaining references, checking his driving qualifications, licences and other such due diligence he was hired and trained appropriately. Would you now argue the employer is accountable for their employees actions?

            1. Anonymous Coward
              Anonymous Coward

              Re: Depends if decent efforts at data security made by Morrisons

              There is some case law on this (oddly, also as a result of Morrisons, heard by the Supreme Court): https://www.bbc.co.uk/news/uk-35696701

              1. Roland6 Silver badge

                Re: Depends if decent efforts at data security made by Morrisons

                >https://www.bbc.co.uk/news/uk-35696701

                What is odd and concerning about that report is that I can find no mention in any report as to whether Amjid Khan (the Morrison's employee) was convicted of GBH...

            2. batfink Silver badge

              Re: Depends if decent efforts at data security made by Morrisons

              Agreed. Companies can't be reasonably expected to prevent all kinds of bad behaviour, because that leads to silliness and unusability very quickly.

              However, they can be expected to take reasonable precautions, proportionate to the expected threat and damage.

              Now it's over to the lawyers in the case to argue the values of "reasonable" and "proportionate"...

              1. Roland6 Silver badge

                Re: Depends if decent efforts at data security made by Morrisons

                >However, they can be expected to take reasonable precautions, proportionate to the expected threat and damage.

                And there in is another rats nest...

                Suggest rereading the 2007 HMRC loss of child benefit records that identified 25M individuals.

                [https://en.wikipedia.org/wiki/Loss_of_United_Kingdom_child_benefit_data_(2007) - other accounts can be found by internet search.]

                Whilst the CD's were (claimed to be) password protected, it is noteworthy that because the transfer was between two branches of government, it was deemed reasonable to firstly send a much larger dataset than that which was requested (it is was easier and cheaper for HMRC to obtain the larger dataset) and secondly to handle the transfer of the CD's like any other inter-governmental communication, via the unregistered/unsigned for internal mail.

                The parallels with the Morrisons case, is that firstly an individual employee - probably at the direction of a manager, prepared and gave access to the full dataset to another employee - who at the time had the job title "auditor" and probably also knew that the dataset was to be passed to an external organisation. I can fully understand this employee making the seemingly reasonable decision to simply hand over the raw ie. unencrypted dataset.

                I suspect this culture of security is common in many commercial businesses, who haven't been grounded in security like some government departments and agencies.

            3. Deckard_C

              Re: Depends if decent efforts at data security made by Morrisons

              Taking photos of your screen would limit you to how many details you can steal, much less than 100,000

              Printing 100,000 records, I recken at 60 records per side duplex 3 reams of paper, somebody might notice.

              My emplorer has less than 100 employees. We have restrictions so only allowed applications are allow to run. That has stopped a few browser based malware by stopping dropped payloads from running.

              USB storage devices are locked down, simply option in Symantec. So only 2 poeple have access to bypass that myself being one as I'm IT. But I don't have access to the payroll system, I could look at the database tables but they are encrypted so can see anything anyway.

              When the auditors are in and they want a reports saving to USB they tell finance and they ask IT to copy it to USB and they can watch while IT is doing it. Not common enough to be an inconvenience.

              You could upload to something like dropbox/onedrive, but everyone knows their visit to dropbox/onedrive will of been recorded. Which we avoid anyway because it's easy for people to get scammed out of their dropbox/onedrive details.

              We could be more secure on individual client record access as software supports it (only have access to clients record you are doing work for) but that is seen as too much inconvenience to mantain so only do that when we do work for employees or their family

          2. Brewster's Angle Grinder Silver badge

            Every modern browser includes a full-blown IDE

            "No ability to launch any executable other than the application required (SAP or similar) on a device without Internet access and someone from IT babysitting you whilst you are on the device."

            I'm in a browser. I hit F12. I now have access to the console and ability to write code. I can start automating the scraping of any data I can access from the browser.

            1. Roland6 Silver badge

              Re: Every modern browser includes a full-blown IDE

              Demonstrates that in a secure enterprise you need to only permit the installation of applications that support Group Policy: With Chrome you can set the GPO "Disable Developer Tools"...

              What the Morrisons case is showing is how commercial organisations need to totally rethink IT systems security. It should also have a ripple on effect on OS and application developers.

              The worry is from my understanding is that currently Linux (and Linux applications) doesn't have a de facto equivalent to AD and Group Policy...

    7. Venerable and Fragrant Wind of Change

      Re: Depends if decent efforts at data security made by Morrisons

      And if Morrisons' had contracted a BOFH to secure their data, but the BOFH then nicks and abuses everything?

      Or the BOFH leaves a backdoor (government-mandated or otherwise) not authorised nor known by Morrisons?

      Surely there has to be an element of Good Faith in the argument here!

    8. LucreLout Silver badge

      Re: Depends if decent efforts at data security made by Morrisons

      So if Morrisons were lax on security procedures

      We already know they were. There's no reason for anyone with access to employee data to have access to a USB anything, or any other cloud or external storage. Access to sensitive data has to result in a lock down of the employees ability to transfer that data anywhere outside the corporate network.

      The employee bears primary responsibility for his actions, but the employer must also bear fault for their woeful security provision. It should simply not be possible for my employment details to wind up on a dumpsite.

      My payroll details should by encrypted at rest and within transfer and accessible only via the payroll system. My employee details the same but accessible only from the HR system. Nobody ever needs access to both and those that have access to either must expect restricted ability to do things - exporting them to Excel is unjustifiable.

      1. Mixedbag

        Re: Depends if decent efforts at data security made by Morrisons

        And if as if oft the case your pay role system does not have an inbuilt function to assess pay rises and create a mail merge to print letter for each employee for their revised remuneration?

        And yes printing physical letters for such things is still a requirement, in some cases because of what is written in union arrangement but more commonly because not all of your employees will have an email address or at least not one they wish to share with their employee.

        1. LucreLout Silver badge

          Re: Depends if decent efforts at data security made by Morrisons

          And if as if oft the case your pay role system does not have an inbuilt function to assess pay rises and create a mail merge to print letter for each employee for their revised remuneration?

          Replace the system for one that does. Its relatively cheap and easy these days, especially compared to the size of a GDPR fine. Most systems are perfectly capable of applying a cost of living rise to most employees. There's no reason to extract the data to a spreadsheet to add 1 or 2%. Employees can get a login to go view their comp page.

          And yes printing physical letters for such things is still a requirement, in some cases because of what is written in union arrangement

          Then either kick out the union or force them to modernise. I don't want my data leaking because some dinosaur hasn't realised the 70's ended and the world is digital.

          not all of your employees will have an email address or at least not one they wish to share with their employee

          Set one up for them and assign it as their communication address. Simples. Leaking everyone's data because maude doesn't want to work email/computers or paranoid pete thinks he's smart playing games will only lead maude, pete and a whole other staff to the redundancy queue when the employer gets their balls sued off for perfectly avoidable breaches.

    9. Gordon 10 Silver badge
      Stop

      Re: Depends if decent efforts at data security made by Morrisons

      Not sure that follows. Its quite possible that as an auditor he would have an exception to any USB stick rule, they are forever tossing around spreadsheets.

      Also I think the fact that he was an auditor in a privileged role is key. This wasn't some muppet arsing around this was the finance/hr equivalent of a rogue sysadmin.

      1. Gordon 10 Silver badge

        Re: Depends if decent efforts at data security made by Morrisons

        To reply to my comment. On Fridays article on this the side bar says

        "As part of that, the payroll was "uploaded from an encrypted USB onto Mr Skelton's encrypted work laptop by another Morrisons employee,"

        So basically he had USB rights as part of his role for at least some time,

    10. gnasher729 Silver badge

      Re: Depends if decent efforts at data security made by Morrisons

      "It's all about taking reasonable steps to keep data secure"

      In this case, absolutely not. If a random hacker had broken in, yes, you would be right. But here the primary question is: Did the employee do this as part of his job? If for example a security guard at Morrisons accuses you of shoplifting and locks you into the stockroom for three days, then he acts on behalf of Morrissons and the company is liable for any damages. And that's the question here: Did he act on behalf of Morrissons? Was it part of his job, and is Morrissons therefore liable? Or is he a random hacker, who just by coincidence was an employee at Morrissons?

      Like the security guard: If he does anything related to security, no matter how bad, he is acting on behalf of the company, and the company is liable. If the guy's job was related to payroll data in any way, then he was doing his job (in an extremely bad way obviously) and Morrissons is liable.

  2. big_D Silver badge
    Coat

    Today Morrisons, tomorrow the Pentagon...

    I know jurisdiction gets in the way... But if Morrisons lose, could the Pentagon be held liable for Wikileaks Pentagon Papers and the NSA for Snowden?

  3. Anonymous Coward
    Anonymous Coward

    purple jumper

    Lady Hale, president of the Supreme Court – wearing a purple jumper with a poppy brooch .....

    I'm trying to figure out how her jumper and brooch are in anyway connected with the article as posted, or legal case.

    Could someone please enlighten me?

    Maybe she bought them from Morrisons??

    1. Anonymous Coward
      Anonymous Coward

      Re: purple jumper

      I suspect this is due to it being part of Lady Hale's following - the type of brooch especially. I guess the author would not wish to disappoint those for whom this information is part of her appeal.

      For instance,

      https://twitter.com/chiefbrody1984/status/1176433515887550464?s=20

      Some suspect that the brooch might be used for subtle messages...

      1. Ken Moorhouse Silver badge

        Re: this information is part of her appeal.

        I thought it was Morrisons who were appealing?

    2. hplasm Silver badge
      Facepalm

      Re: purple jumper

      Purple jumper vs black hoodie -obviously!

      sheesh! /s

    3. Anonymous Coward
      Anonymous Coward

      Re: purple jumper

      I believe there's a recent media following / cult of Ms Hale, since the time of her presiding over the most famous (perhaps) session of the Supreme Court, recently. The UK media picked on the oversized (and in my view fugly) brooches she prominently wore and it was easier to write a couple of paragraphs about the brooches, that about the arguments because, really, who the fuck cares about arguments in the possibly most important court proceedings in recent UK history. So, whenever she's mentioned now, it appears her brooches follow her, kind of a trademark.

      btw, while I disliked her brooches very much (shrug), I think she was brilliant during that case, and so were other judges and, actually, almost all participants :)

  4. Blockchain commentard Silver badge

    An auditor remit can be quite wide so he may well have had legitimate need/access to a payroll spreadsheet. However, copying it to post on a Tor site can't be in his (or anyone's) job description surely?

    1. Kevin Johnston

      and this is where the grey area starts.

      As has been mentioned here and in previous articles about this, the crux is whether he had access he abused or was there a gap he took advantage of. If the first he is wholly to blame, if the second then Morrisons have to share the blame. The difference between the two is mostly semantics unless there is a piece of paper (or the electronic equivalent) which says that he may/may not make offline copies of data.

    2. DontFeedTheTrolls Silver badge
      Boffin

      Was he there to audit the data? - yes.

      Did he therefore have legitimate reason to access the data? - yes.

      Did Morrisons take suitable precautions to ensure that when he had access to the data he didn't do something malicious with it? - no. Irrespective of what he actually did beyond his job remit, Morrisons appear to have done nothing to prevent him doing it (evidence yet to be presented and reported).

      He could have been restricted to a room where he couldn't take any possessions in or out with him, and he could only work on the audit within that room. I've been to IT exams with this type of restriction, where a metal detector scan was completed to enter the exam room.

      He could have had a chaperone watching him. Not exactly comfortable, but could be considered necessary.

      1. Anonymous Coward
        Anonymous Coward

        You have hit on the crux of the issue - it is effectively what precautions did Morrison's take to prevent the loss of information and were they sufficient in the eyes of the law to absolve Morrison's of responsibility for the data loss?

        If, as you suggest, the auditor had legitimate access to the data and removed it with little supervision, then I believe the liability for his actions remains with Morrison's. If on the other hand, Morrison's conducted background checks, the auditor had some form of professional standards that formed part of his employment checks, the data he had access to was restricted in appropriate ways (i.e. he didn't have root/dba access of equivalent), there was adequate supervision and there were some attempts by Morrison's to implement data loss prevention (DLP), then Morrison's may have a case BUT I believe they should have to prove that they have implemented an acceptable level of protections as judged against the industry and appropriate regulations.

        My opinion is Morrison's likely have "a standard level of industry protections" BUT not a level that meets the regulatory requirements and this case will likely mean businesses have to do more around DLP in the future.

        There is a separate argument for whether Morrison's should be responsible for correcting the issues caused by the data loss - I believe they have some responsibility here regardless of whether they have legal liability for the data loss. While Morrison's may be unhappy with this, it would likely make some form of business data protection insurance an acceptable business cost for this type of thing and (hopefully) balance the costs between companies and affected parties in the future.

  5. mark l 2 Silver badge

    It seems crazy that you would have to have in the auditors job description that they were not allowed to commit a crime while tasked to do what they were employed to do.

    After all you wouldn't expect Morrisons to have to write in the job description for a checkout worker, You must not to take the money out of the store when you leave. And if they didn't they would be joint liable if one of the employees did steal money from the tills.

    1. Anonymous Coward
      Anonymous Coward

      https://www.bbc.co.uk/news/uk-35696701

  6. The Original Steve

    Real life example

    My current client is a mid sized pension provider. Whilst lots of staff have access to single records (vetted staff, audit trails, no way to export), the auditors do - apparently - need unfettered access to all the records.

    As such, there's a locked down endpoint (kiosk mode, whitelist for executables and no browser, all external ports disabled), chained to a desk in a dedicated meeting room. Screen recording is enabled and for good measure theres always at least one clued up employee sitting and watching too.

    It's not bulletproof, but given the sensitivity of the data and the level of access I feel it's entirely reasonable and proportionate.

    Funnily enough, the auditor was very unhappy with this arrangement and complained to the FD. When the FD came to 'discuss' it with me I already had a letter printed out referencing this case, and that I'd be delighted to water it down if she signs the letter that clearly shows she has signed off on going against the security consultants advice and on behalf of the company the IT function and myself would not be held liable should something happen.

    Auditor still hates me, pension info remains locked down and the world still spins.

    1. Doctor Syntax Silver badge

      Re: Real life example

      Nice one Steve. It says a god deal about the auditor if they disapprove; they ought to be in favour of such security.

      1. pig

        Re: Real life example

        There is a great deal of difference between what auditors should know and do and what they do know and do.

    2. Anonymous Coward
      Anonymous Coward

      Re: Real life example

      The most beautiful thing I've read today, thank you :)

      "When the FD came to 'discuss' it with me I already had a letter printed out referencing this case, and that I'd be delighted to water it down if she signs the letter that clearly shows she has signed off on going against the security consultants advice and on behalf of the company the IT function and myself would not be held liable should something happen."

  7. Anonymous Coward
    Anonymous Coward

    he had metaphorically taken off his uniform

    wonderful, this covers any wrongdoing by any employee. He took off our uniform when he took your money, now fuck off!

  8. Doctor Syntax Silver badge

    Whilst we can debate what are appropriate technical security precautions there's another aspect. Was appropriate due diligence carried out in the appointment of the auditor? IIRC there was some disagreement before hand in which case why was access not rescinded when that happened?

  9. adgec

    Insurance

    I seem to remember that in the earlier ruling, when Morrisons asked how they were supposed to have protected themselves against a rogue employee, the judge basically said "that is what insurance is for". You can't guarantee someone won't circumvent the controls they are responsible for, but as there is always a risk then a business should insure against that risk for when they can't protect people's data. Otherwise employees can't get proper compensation and why should they suffer more than Morrisons.

  10. Anonymous Coward
    Anonymous Coward

    Not sure on this one

    If you have a rogue employee who knows where there are "holes" and exploits them are you to blame? Yes, if you knew about the holes and didn't plug them to "save costs" but you could always argue you weren't aware of the holes. But then it would be asked, why did you not pay for any sort of pen testing to find any holes? But if your company has done everything it could to secure said data but the rogue employee still got the data (taking photos of said documents old school spy way) I'd say you're not responsible.

    Sometimes companies need to be taken to task however, for their lacks approach to security. Like certain companies that go with GSuite and then say "Yeah, you can use your home machines as long as you sign a form that states they have secure login passwords for the account and have anti-virus". No actual check was ever done on anyone's personal kit. And when it was pointed out "You do realise you're encouraging people to use Google Drive now for all documents? I understand that anyone that wants to steal all documents can now upload to Google drive but, that you audit that upload. What you don't audit is the download because Google Drive for Desktop will sync all documents to another machine with no audit trail, as mentioned in the small print of Google Drive for desktop. And you're so lacks you haven't bothered to procure a 3rd party application that would be able to audit all those transfers. So you are, essentially, complicit in the data stolen by an ex director via Google Drive before they left".

    In that situation, not only would I say the company is at fault but the director who forced those decisions through despite the above advice.

  11. MadAsHell

    Employers MUST be liable for their employees

    The whole point of vicarious liability was to provide some remedy for injury caused by a man-of-straw (the employee) - his employer, for whom he is an agent, has to accept the risk and then a) mitigate that risk, b) insure against it (if he has any sense).

    By this logic the RCJ are absolutely liable for their cleaning staff who steal from judge's chambers! The employer has provided them with a go-anywhere pass (essential for the job) but has to take reasonable steps to ensure that they are honest and bears the responsibility if they steal during the course of their job. If they try to use the pass out of hours to gain access, the pass should be disabled, all accesses should be logged, and random audits done, which mitigates the risk. As the temptation and risk grows the steps required to ensure that staff are honest increase: exemption from the Rehabilitation of Offenders Act, a guarantor standing a bond, background checks etc. The RCJ are *not* liable if their employee assaults someone during the course of the job, or speeds in a car to and from the job. There's a line, which only Lady Hale has difficulty seeing.

    If Morrisons escape liability for this then they can't be held liable for their warehouse staff driving a forklift truck into someone, or dropping a pallet onto a visitor, and even Lady H can see that would be a serious public policy mistake.

    Just because no-one was punished for the loss/theft of the entire NI child benefit claimant list doesn't mean that DWP weren't liable for the damages when folk discover that their IDs have been cloned using the stolen data.

  12. Anonymous Coward
    Anonymous Coward

    Morrisons used to have the security

    Morrisons used to have the security, I should know I and colleague implemented it over 10 years ago!

    Full USB lock down across the estate with only authorised devices allowed to download information in an encrypted format that only machines within their estate could decrypt.

    I left 10 years ago and my colleague not much after as their pay and conditions were awful. Morrisons were left with no one to run the system and even resorted to advertising for a contractor on a lot more money than they'd ever pay me as an employee to come and run it, but couldn't find anyone. I can only assume with their drive to reduce costs, outsource and make the majority of their onshore IT redundant that IT security was deemed too expensive.

    1. Eclectic Man

      Re: Morrisons used to have the security

      Umm, shouldn't you be a witness and give evidence at the trial?

    2. Anonymous Coward
      Anonymous Coward

      Re: Morrisons used to have the security

      Now you can be an expert and pay them back..

      Anon, as this looks vindictive.

  13. Eclectic Man

    Compare with Snowden

    Ed Snowden had admin access to 'secure' USA computers and downloaded a lot of data which he then 'published'. The information was government secrets, but the precedent of an employee using his computer access to perform unlawful acts in downloading data has been set, and Morrisons must have been aware of it. The NSA did not just shrug their collective shoulders and say, " it's not our fault if an employee decides to break the law". It will be interesting to see if the eventual judgement, mutatis mutandis*, would hold the NSA liable for Snowden's actions. We'll just have to wait and see.

    *latin for 'with the appropriate changes made to names, but logically the same argument'.

  14. FlamingDeath Bronze badge
  15. FIA

    Lady Hale, president of the Supreme Court – wearing a purple jumper with a poppy brooch – commented

    But what was Lord Pannick wearing?? Oh... no... wait... it's 2019.... does this really matter?

    1. Anonymous Coward
      Anonymous Coward

      I'd imagine the descriptions are trying to paint a picture and reward some of the effort of actually being at the court while reporting.

      eg: "Bearded Parmar, wearing a black open-necked shirt, a gold chain and a black jacket"

      https://www.theregister.co.uk/2017/08/30/ex_harrods_man_pardeep_parmar_computer_misuse_plea/

      "Finch, 49, appeared at Westminster Magistrates' Court yesterday wearing a black suit and yellow shirt with a patterned tie"

      https://www.theregister.co.uk/2019/10/10/simon_finch_ex_bae_systems_charged_official_secrets_act/

      The British executive and tech investor, who was wearing a white shirt, navy suit and dark blue tie with a tight white horizontal stripe pattern

      https://www.theregister.co.uk/2019/06/26/mike_lynch_autonomy_evidence/

    2. Ken Moorhouse Silver badge

      Re: Lord Pannick

      Wasn't he a Colonel?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019