The latest developments in the lawsuit against UK supermarket chain Morrisons may dictate the future of employers being held responsible for employee actions.
In 2014, Morrison’s was the victim of a data breach acted out by an internal auditor who stole and disclosed more than 100K employee records. While the employee was caught and is currently serving jail time, the supermarket chain remains fighting a class action lawsuit by 5,500 of its employees. At the time of breach, Morrisons was compliant with the requirements set forth by the GDPR predecessor, The Data Protection Act of 1988.
In 2017, Morrisons was found to not be directly liable for the breach (as it was the actions of a rogue employee), but the court found that, because the auditor was an employee, Morrisons is exposed to vicarious liability – where an employer can be liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment.
While the case is currently under appeal, the implications for organizations doing business in the U.K. are material and tangible. Should this case uphold, cyber insurance rates will skyrocket (or exclude vicarious liability).
And because vicarious liability can be caused by an employee merely “doing their job”, it’s conceivable that someone falling for a phishing scam that results in a data breach could expose the organization to vicarious liability claims in court.
This is a slippery slope for organizations in both the U.K. and the U.S. (as we’re beginning to see government interest in the concept of vicarious liability around data breaches). Organizations need to put controls in place that protect it from cyberattack – from the perimeter (firewalls, email/web scanning, DNS scanning), to the endpoint (AV, EDR), and all the way to the user (Security Awareness Training, Phishing Testing). It’s likely you won’t be able to stop 100% of all attacks, but the goal behind this layered security approach is to absolutely minimize the threat surface, limiting the possibility of breaches that could fall into the “vicarious liability” category.