Here we go again...
As I noted elsewhere: "That presumes that the ICO's role is to protect citizens' data. Observation would indicate that in most cases it's to explain that they're not going to."
The UK's Information Commissioner urged the Court of Appeal to side with Morrisons in the supermarket’s battle to avoid liability for the theft and leaking of nearly 100,000 employees’ payroll details – despite not having read the employees’ legal arguments. A letter (PDF) sent to the Court of Appeal in May 2018 on behalf of …
"Their job is to maintain a healthy balance between private citizens' data and those who wish to use it, within the boundaries of the law.
One aspect of this is dealing with those that break the law, the other side is making sure organisations can still operate."
You are correct that they *should* maintain a healthy balance.
If you think that they *ARE* maintaining that balance in this case, you are 100% wrong. Irrespective of the merits of the case, by submitting in favour of Morrisson's without having heard the arguments of their customers, they are clearly not maintaining any sort of balance.
One aspect of this is dealing with those that break the law, the other side is making sure organisations can still operate.
It is, but unfortunately the ICO has been asleep at the wheel for decades. Primarily it seems to exist to prevent people suing companies that break the act directly in small claims court. Not once have they ever fined an organisation I've complained about despite the legal & health ramifications being quite significant. The CPS deliberately chose to ignore the DPA in my case, said as much in writing, and still only got a telling off by post. The NHS ignored my request for almost a year until the ICO got around to telling them they couldn't, after which they provided mealy mouthed excuses & lies, but still no GDPR fine.
There's no point in having both the GDPR and the ICO as the latter makes the former impossible for individuals to enforce.
"It is, but unfortunately the ICO has been asleep at the wheel for decades. "
It's not asleep at the wheel. It's that way by DESIGN,
Things were looking up a few years ago but a few years of May and Johnson have utterly fucked that. Even the return of Wayne Mansfield and his "seminars" on how to spam in swanky London hotels got a "go away, we're not interested" response.
If we put aside individuals rights and just focus on the effects of the ruling, I can understand the ICO's approach - this decision significantly alters all companies liability for data breaches.
While this change is not impossible to resolve (i.e. insurance), it is likely to be a new market and create significant additional costs for large companies until that insurance market and supporting legal cases mature and stabilise.
I was expecting a fudge - avoid ruling on companies liability in general but find Morrison's failed to follow best practice for securing sensitive data so that a precedent was not set.
In this case the position the ICO is taking is the best way to protect citizens data.
The person who stole the data was authorised to access it. He needed to access it and provide a copy to the external auditor for regulatory reasons. I have been in this situation myself multiple times. By virtue of being the internal point person supporting the external audit, the data owner would always approve the access and accept my call how the data is extracted and transferred. Typically I used use an encrypted USB. Taking additional copy of the data for myself during this process would be trivial. I don't even need to use company system to do it. Taking an extra copy would be morally wrong, a breach of integrity, and something I would never do. Unfortunately some individuals might be tempted if it meant that they had gained something that could be used to hurt their employer or for their own personal gain. Perhaps they would think of it as an insurance policy.
A ruling against Morrison will put needless temptation into the hands of some people who could sneak data out of a firm. In this specific type of incident the precedent needs to be made clear that the criminal is the person taking the data and the victim is the firm.
I would argue that it is all a balance of risks and consequences.
In your example, by allowing data to be copied to a non auditable system (a usb) then the company is accepting a risk. There are more costly and involved was of transferring the data that reduce the risks the company is accepting responsibility for the risk. Something as simple as encrypting twice with a different member of staff setting the second password would significantly reduce the risk of one bad apple taking advantage. Secure tools that transfer data online and are auditable are also available.
Whilst spaffage isnt something that should just be ignored, it should depend on what effect said spaffage has had on those affected.
A list of names, company emails and home addresses is fairly unlikely to be a problem, it might, in the right circumstances, allow the details to be used for nefarious purposes, such as applying for credit, but those sorts of things should be caught by others.
Not a single person lost a single penny as a result of the unauthorised disclosure. There were no losses.
If this had been an action in tort, there would have been no question of damages as there has been no loss. The DPA includes provisions for claiming for distress, which is the basis on which this claim is being made.
Unlike the ICO, I have read the legal submissions. She isn't missing anything.
Can't really see the court's argument here.
If Morrisons had been negligent and let someone have access through poor security or policy then yes. But he was legitimately authorised : he just abused that permission. How was Morrisons supposed to stop that ?
If someone over 18 stole a kitchen knife from their store and stabbed someone with it, would the store be an accessory ?
He was authorised, but what were the checks and balances on his access and use of that data? I don't know the details of this specific case but it's a basic principle that you don't just hand over full control and say, "Have at it."
I've been authorised to spend large sums of money on behalf of my employer but trust me, they tracked the expenditure and invited me to provide evidence and justification for doing so.
Yes, after the fact they did.
But to the original point that wouldn't have prevented you from doing it, it would have merely provided repercussions for you if had.
I think there had to be a point at which someone needs to be trusted. Even if there had been technical measures possible to prevent this you'd still need to trust the person or persons implementing them, and the people checking them and so forth.
"Skelton, an auditor for the supermarket chain, had authorised access to its entire payroll while KPMG was auditing the company accounts"
Given that auditors are generally assumed to be trustworthy, and it's quite tricky to properly audit a company without access to its 'books' and data, what the heck were Morrisons expected to do? Have two auditors from another company physically standing at Skelton's shoulder 24/7 until he had finished and had his access revoked?
Or maybe they should have provided anonymised and filtered data to Skelton? Who could not then trust the data, as the person preparing the secure extract may be the one fiddling the books?
What 'honesty' checks did the audit company do on their employees?
Skelton was a crook. He abused trust. He goes to jail. That's it.
What's next? Home-owners liable for burglary because they installed breakable glass in their windows?
"what the heck were Morrisons expected to do?"
let^s see, maybe provide the data in an environment where he could access and analyse it, but not copy it onto an external USB without extra verification, or at all?
Like literally every work computer I have had across the last 10 years and 4 workplaces?
His job was not to analyse it. His job was to prepare it to send onward to the external auditors (KPMG). Their (KPMG mandated) process required the data to be put on a USB. Skelton copying the data to a USB wouldn't have raised alarm bells even if they had detected it because it was a component of his job
I’m struggling to see why anyone thought exporting the Payroll Database and sending it outside to an Auditor was not a purpose limitation on sharing it. There work should have been carried out inside Morrison’s Security Realm.
Yes before GDPR fully came into legal force, but GDPR was a formalising of much long existing legislation.
Are the auditor not equally liable as Morrison’s ??
I have worked with some extensive data protection , and there are times when you hit a wall between the needs of global security and the needs of having that data to do your job. There are almost always ways around any data security once you have physical access even if it ends up being screenshotted and printed as photos... though all this does leave an audit trail that could incriminate me if I abused my employers trust and my data “escaped” even if it’s a barn door/horse bolted situation.
That said, I was still mandated so sign some severe NDA’s with mandatory termination and possible legal action if I screwed around with the data entrusted with me...
"Given that auditors are generally assumed to be trustworthy"
From the first report of the case linked in the article: "The attack was allegedly in response to Skelton being accused of dealing legal highs at the company's headquarters in Bradford."
I'd have thought that that might have lead them to question such assumptions.
If someone over 18 stole a kitchen knife from their store and stabbed someone with it, would the store be an accessory ?
Well... in that case the store could successfully argue that it had no knowledge of the 18 year old having stolen the knife. OTOH if the store had sold the knife to the 18 year old it could be argued that the store was complicit with his possession of it.
The argument can be carried to extremes; if I buy fuel from a garage and then run someone over can the garage be held in any way liable on the grounds that it provided part of the means by which I committed an offence?
In this case (in which I have no involvement and IANAL in any case) the offender had legitimate access to the information so I find it hard to hold Morrisons to blame in any significant way. The only way an employer - in this case Morrisons - could try to protect themselves would be to have person B looking permanently over person A's shoulder to try to stop A misusing data to which he or she has legitimate access.
Where's the can of worms icon when you need it?
I see where your argument is however the fact one person had access to all the data and also the ability to swipe it means they did not take due care of said data in my humble opinion. If Morrisons left kitchen knives at the front of the store with no anti-theft measures in place and someone took one and stabbed someone that would be negligent because they have a duty of care to ensure dangerous products for over 18's are sold safely.
Apparently he was following a KPMG mandated process to copy the data to a USB stick to forward on to KPMG. That data should have been encrypted in a way that once copied, he would no longer have access to it or decrypt it since only the authorised recipient should have the decryption key. If Morrisons chose not to do it in this way, and KPMG didn't mandate that as part of the procedure, then it's entirely possible that both were in breach of their duty to keep the data secure.
No - most of the comments here have not actually read the facts of the case or even the judge's ruling.
Ironically the commentors are as guilty of not reading up on both sides which is the subject of this article.
The key point is the interpretation of vicarious liability.
Even if encrypted, as people claim here, won't help, if he hacked or brute forced the key, Morrisons is *still* liable.
The implication of this is that the business must create a system of data protection that is impregnable - military grade won't do, NSA grade seems to be the territory it is asking for.
Go read the judgement
If the store had left the knife lying around and the doors unlocked, would they be negligent then?
Or in this case, should Morrisons have had more internal controls and auditing to stop a rogue employee from being able to as easily steal their data?
It's a tricky question, I don't know what the answers to those questions are, but I believe that's what the court is trying to find out.
Given he was able to copy data to a USB drive of his own I would say poor data policies.
External drive lockdown would be normal policy in most companies for low level data never mind really sensitive stuff.
So, as contractor was able to take a private copy then Morrisons not really obeying good security practice IMHO
This tone assumes Morrisons was powerless against KPMG's proposed mechanism,.
Morrisons is of course entitled to refuse a process they consider to be contrary to their data protection obligations.
They're required to be audited, they're not required to be audited according to a process invented by a third party they don't agree with. Of course they may not have reviewed it..
"They're required to be audited, they're not required to be audited according to a process invented by a third party they don't agree with."
It wouldn't exactly be the first time KPMG's practices have been found "wanting"
"Of course they may not have reviewed it.."
Given KPMG's history, I treat them with a healthy degree of paranoia, however most people seem to have blind faith in their assertions and have never heard of all the various messes they've been mixed up in.
P.T.Barnum had a phrase to cover that - and never follow signs pointing to the fabulous egress.
Then it seems both Morrisons and KPMG could be liable. KPMG for mandating such obviously insecure practices, and Morrisons for failing to see that as a potential security risk and calling KPMG out on it.
Both parties failed to adequtely secure sensitive data by following poor security practices.
If the store took no reasonable, proportionate action to secure the knife and had foreknowledge of the likely consequences(*), well, yes.
what is reasonable and proportionate is the question.
If the knife was in a locked cabinet (as it is for the better knives in Lakeland) that is one thing
If the knife was on a table outside the door with a label 'please stab someone', that is another.
But he was legitimately authorised : he just abused that permission. How was Morrisons supposed to stop that ?
As others said last time this was discussed, they were supposed to do that by making it bloody difficult for him to do so, or at least to do so without being detected. By making it physically impossible to attach storage devices, for example. By making him pass through a metal detector, maybe - I have seen that in non-spooky environments. By logging what he was doing. And so on.
Do stores still have kitchen knives on open, non-secure display? I haven't looked recently, but I'd be surprised.
Do stores still have kitchen knives on open, non-secure display? I haven't looked recently, but I'd be surprised.
Then prepare to be surprised. My local Tesco has them freely on display; generally security-tagged but not locked away. Last I recall Sainsbury's, Asda, Morrisons are the same, but I've not been to any in the last few months so could be poor recall.
And no I don't call pinning a tag to it "secure". They're usually just pinned through the plastic packaging, which is easily cut away by your average n'er-do-well.
"If someone over 18 stole a kitchen knife from their store and stabbed someone with it, would the store be an accessory ?"
The analogy is far from perfect, but perhaps rather more like: if retail supervisor in a shop grabbed a knife and started stabbing customers, to what extent would the shop management be liable? Should the management have taken more care in selecting and/or monitoring staff? Were they rather lax, and hence negligent? Did they take reasonable care, but still got caught out? Were they extremely rigorous, and so it would seem unfair to blame them? Should the shop be fined or sanctioned *regardless*, to encourage them (and others) to be (more) careful in future? Should any fines be somehow made proportional to care taken during their staff selection procedures and/or any monitoring programmes?
I'm quite interested to see how this Morrisons case turns out; and what the legal arguments and justifications are.
The issue here is that Morrisons had a duty of care (or whatever the appropriate phrase for the legislation is) to prevent the data they held from becoming public. They failed in that obligation and are therefore liable for it.
How the data became public shouldn't be the issue. The 'bad apple' is always a difficult risk to manage in any organisation, but just because it's difficult shouldn't mean that they should not be liable for it.
The vicarious liability interpretation is still a problem.
If an employee memorised the details, they would *still*, according to this interpretation of the DPA, be liable.
The danger of such overreaching judgements is that it can result in Data Protection itself as being seen as unreasonable to business.
Having a duty of care and not succeeding does not automatically mean there's a liability. Stuff happens and you can't reasonably prevent everything all the time. Their only obligation is to take care, not to succeed in all circumstances.
But yeah, they do have a duty of care, and stuff happened. So now it's up to the judge to decide if they have taken sufficient care or if they could reasonably be expected to have prevented this from happening.
So, the meter reader turns up, in their uniform and brandishing the official badge and I let them in. In the course of their duties they take the opportunity to steal from me. While the courts seek to punish the meter reader, recompense for my loss would be paid out by the meter reader's employer, without any argument, as it is already clearly established in law that the employer is liable for their staff and their agents transgressions while representing the company.
How Morrisons thinks they can twist this age old law to not apply in this circumstance is beyond comprehension. And the idea that this case will create a precedent is similarly absurd. At best, it will confirm the guidance that has always been in place is applicable to intangible zeros and ones as much as it is to the physical world.
No, he was a senior Morrisons employee working with KPMG to provide the data to them for the audit.
IMO, this represents a failing from KPMG too - when we're being audited at work, the auditors attend site with their own encrypted USB sticks for retrieving data - it's then under their jurisdiction and they're required to a) protect it and b) not leave the site with it without authorisation.
by Morrisons to protect the employees' personal data? This will lie somewhere between: a clause in a contract saying that the data must be kept secure; and monitoring by several watchers of every keystroke/action of every person who has access to the the data.
Somewhere someone/some-people has/have to be trusted, beyond that responsibility lies with the person(s) who took & abused the data.
The ICO seems to behave like most company HR depts, they're sympathetic but utlimately they're not there for individual's protection, they're there to protect the company from anything and individual does and at the end of the day the company, or in this case big business, is being protected above citizens private interests,
From an earlier article:
Skelton, the data thief, was an IT auditor for Morrisons. He was disciplined by the company for using its postal facilities for himself, something that left him holding a grudge. After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick.
I doubt KPMG can be expected to oversee their clients' employees. If anything surely it would be Morrisons' responsibility to oversee KPMG's
KPMG should have attended site and retrieved the data themselves - the email/communications trail that lead to KPMG entrusting Skelton with the task will be key here.
If he roadblocked them about them coming to get it themselves, effectively engineering the situation where he would have to personally extract the data, then they're in the clear. If they cut corners to save money or time, then they should be in the dock too.
The ICO's role should not include trying to influence court cases that they haven't themselves brought.
They may have a role in helping a court understand the law, how it is interpreted, the guidance issued to companies and best practices, but that should be at the request of the court or one of the parties to the case, not unsolicited.
In this situation this frankly looks like attempted political interference in a legal case, where the politics are 'big business good, consumers can fuck off'. Which is itself not what I'd deem desirable branding for the ICO.
It always come down to you having to trust other people.
Whether that's people auditing your accounts or people writing, supplying or supporting software or systems that run the software you still have to trust them.
Trust not technology is the foundation of security.
Just look at the whole: "you can't trust closed source software" thing. Well if you can see the code then suddenly it becomes: "you can't trust the compiler". Well if you can trust the compiler then: "you can't trust the CPU" etc.
Technology can help by restricting how far you have to trust people by limiting what someone can access but if someone needs access to everything then it doesn't help much. If someone can see data then if all else fails they can take it away with them in their brains no matter what technology you've implemented.
Is requiring an auditor to work naked in an underground bunker after undergoing an anal probe to make sure he's not sneaking a hidden camera in with him before shooting him in the head when he's finished really proportionate to protecting payroll data? I can't see any other way you can make sure you don't need to trust an auditor. (obviously doing all those things to an accountant is appealing)
Good to see that some people are taking care to get all the information before making a decision.
Elizabeth Denham should resign. Her job is not to protect companies and, unlike Ajit Pai, she is not working in the US. She should be ashamed of having expressed her authority in a matter where she had not seen all of the available information.
For an Information Commissioner, she acted in a singularly uninformed manner.
Not a lawyer, but I thought it was routine for amicus submissions in support of a party to a legal case to reflect / interpret / support the pleadings of that party, without necessarily having access to the other parties' brief (especially if it's submitted during the discovery process)? Amicus submissions are not supposed to be an all-encompassing interpretation of the case (teaching the judges to suck eggs), but part of the evidence to be considered. You don't need to see all the other evidence to say, "this is our interpretation of how the laws on privacy breaches and liability between corporations and employees should be applied in general". It's not corrupt behaviour for interested parties with relevant knowledge or expertise, including government departments, to make submissions in legal cases.
Not seeing the problem if the ICO's policy position is that corporations are not automatically vicarously liable for employee law breaking (unless some negligence or malpractice is proven). It's up to the court to synthesise a ruling from all the evidence and they're free to discount the ICO's submission (which it seems they did).
It is disingenous for the article to imply that Morrison's are true opponents of the victims of the breach here; I think Morrisons would be argulng that they are (indirectly and reputation-wise) the victims, too. Again, unless there was some gross negligence on their part. And as others have said, if it's Morrison's fault, why not KPMG's?
Data Protection act 1998 schedule 1 principle 7:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Morrisosn failed to take appropriate measures to prevent the information being unlawfully processed by Skelton, as such they are deemed negligent in their duty of care and liable to prosecution for damage caused.
IANAL but could it be argued that the Morrisons' auditor was part of the process in place to protect the data, since KPMG were not being given direct access to the system? If so, would it have been reasonable to expect Morrisons to have a process to monitor the monitor - and a process to monitor that monitor...
Big fleas have little fleas
Upon their backs to bite 'em.
Little fleas have littler fleas
And, so, ad infinitum.
In retrospect, Morrisons measures were insufficient but, at the time the crime took place, would a reasonable person (that is, not a cyber-security expert, such as populates this forum) have considered them reasonable and appropriate? Now the case has come to court, and irrespective of the eventual judgement, Morrisons' approach should be considered insufficient for ever company in the UK.
I'm surprised how little media coverage this case is receiving because it's possibly one of the the most important law suits in recent history. Almost since the net went live people have hoovered up and used data and there is no such thing as a secure database. No matter what the financial or emotional costs to millions of individuals of a data breach, the perennial response is an empty apology occasionally accompanied with a nominal fine to a government body. If, as I hope, Morrisons lose this landmark case, every HR and legal department, in the UK at least, will panic and reconsider the basic instinct to horde data and to transact with staff and customers wholly online. Most IT departments are unfit to prevent even fairly unsophisticated attacks and so a basic philosophical shift is required from holding data to not holding data. Either services should be structured wholly around the handshake principle in which data is briefly passed but not stored, or data should be kept only by security-skilled data storage providers who are fully insured to accept liability for any breach. Holding data might make life easier (and more interesting/useful) for organisations but there is very little actual need for it.
A supermarket firm has an audit - possibly legally mandated by the state to be carried out by an accredited auditor.
Said auditor should be covered by a security and confidentiality agreement with the auditor and it’s not like KPMG are a fly-by-night cowboy outfit (ahem...). Auditor audits, requests all sorts of data for said audit, company is legally required to provide data to auditor for legally required audit, then auditor does a secret squirrel with the data and somehow pastebin’s it.
I would have thought that Morrison’s would have been able to prove that this data was requested by auditor in the framework of the audit, dropping responsibility squarely on the Audit firm. Morrison’s gets understandibly sued as it’s their data but should be a doddle to prove that the auditor had the legal requirement to access this data under the audit mandate and the blame, responsibility and fallout lies with the audit firm, and they can then explore their own legal avenues of recourse against the auditor for breach of contract and trust?
(say audit again, I dare you, I double dare you...
This hinges on whether appropriate measures were taken to protect the data concerned. It is far from clearto me wehether this was the case or nto but most on here seem to be arguing that the fact that a criminal employee was able to circumvent whatever measures were taken of itself is sufficient to proof the measures were not appropriate. This is a crazy argument as it is not possibole to have security measures which are absolutely impossible to circumvent under any circumstances, paticularily against a rogue employee or employees who have legitimate access to the data concerned.
The situation is quite different to an injury caused by an employee or the like while acting as an employee as in this case it is not alleged that anybody has been damaged or hurt in anyway except by 'distress'.
The difficult question is of course what measures are appropriate and in this has to be a judegement of how sensitive the data was and how likely would be attempts to access it inappropriately versus the measures taken to ensure its security. Given the impact of the data leak is conceded by everyone to have been negligible the data cannot be considered to be of high sensitivity. If the data was only secured via access granted for a legitimate purpose to an appropriate person, who was appropriately selected and the data access was limited to only that reasonably required then based on this Morrisons should be considered to have taken appropriate measures.
Perhaps it's just I'm a grumpy old fart but in a criminal case, going directly to the judge to try and influence the outcome could be construed as attempting to pervert the course of Justice. Personally, I feel the same rules should apply in these type of cases. If you have material evidence, then present it to the court and allow the judge to decide, otherwise just do the job we pay you for and apply the unbiased judgement.
While Morrisons might not have direct responsibility for Skelton's actions, they do hold a responsibility of action in reply to those actions. It seems simple to me that while Morrisons cannot always prevent the crime, they do hold responsibility in taking action as there is a contract between then and Skelton for employment.
If Morrisons sits back and does nothing (or is even supportive of the crime) then they are part of the crime. If Morrisons takes action that their part of the contract requires (such as having Skelton arrested), then they are cleared from legal action that they did their due diligence.
In the USA, we call this as being an accomplice. A search on the internet shows that UK accomplice law is very similar.
This would set a bad precedent if Morrisons got away with this one.
As the collector and collator of the data Morrisons are liable for it's security.
After they are fined they would be completely within their rights to counter-sue the errant auditor to reclaim the fine. Somebody has to take responsibility for personal data and that must be the people who collected that data.
Biting the hand that feeds IT © 1998–2019