Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    U.K. Court Finds Employee Actions Constitute “Vicarious Liability”, despite meeting GDPR Requirements

    Stu Sjouwerman | May 6, 2019
    data-breach-varonis

    The latest developments in the lawsuit against UK supermarket chain Morrisons may dictate the future of employers being held responsible for employee actions.

    In 2014, Morrison’s was the victim of a data breach acted out by an internal auditor who stole and disclosed more than 100K employee records. While the employee was caught and is currently serving jail time, the supermarket chain remains fighting a class action lawsuit by 5,500 of its employees. At the time of breach, Morrisons was compliant with the requirements set forth by the GDPR predecessor, The Data Protection Act of 1988.

    In 2017, Morrisons was found to not be directly liable for the breach (as it was the actions of a rogue employee), but the court found that, because the auditor was an employee, Morrisons is exposed to vicarious liability – where an employer can be liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment.

    While the case is currently under appeal, the implications for organizations doing business in the U.K. are material and tangible. Should this case uphold, cyber insurance rates will skyrocket (or exclude vicarious liability).

    And because vicarious liability can be caused by an employee merely “doing their job”, it’s conceivable that someone falling for a phishing scam that results in a data breach could expose the organization to vicarious liability claims in court.

    This is a slippery slope for organizations in both the U.K. and the U.S. (as we’re beginning to see government interest in the concept of vicarious liability around data breaches). Organizations need to put controls in place that protect it from cyberattack – from the perimeter (firewalls, email/web scanning, DNS scanning), to the endpoint (AV, EDR), and all the way to the user (Security Awareness Training, Phishing Testing). It’s likely you won’t be able to stop 100% of all attacks, but the goal behind this layered security approach is to absolutely minimize the threat surface, limiting the possibility of breaches that could fall into the “vicarious liability” category.

    Find out how affordable new-school security awareness training is for your organization. Get a quote now.

     
    Get A Quote
    Request A Demo
     

    Topics: Security Awareness Training Data Breach GDPR

    Secure the Digital Workforce: Human + AI

    KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the Founder and Executive Chairman of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog

    Posts By Topic

    View All