Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    U.K. Court Finds Employee Actions Constitute “Vicarious Liability”, despite meeting GDPR Requirements

    data-breach-varonis

    The latest developments in the lawsuit against UK supermarket chain Morrisons may dictate the future of employers being held responsible for employee actions.

    In 2014, Morrison’s was the victim of a data breach acted out by an internal auditor who stole and disclosed more than 100K employee records. While the employee was caught and is currently serving jail time, the supermarket chain remains fighting a class action lawsuit by 5,500 of its employees. At the time of breach, Morrisons was compliant with the requirements set forth by the GDPR predecessor, The Data Protection Act of 1988.

    In 2017, Morrisons was found to not be directly liable for the breach (as it was the actions of a rogue employee), but the court found that, because the auditor was an employee, Morrisons is exposed to vicarious liability – where an employer can be liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment.

    While the case is currently under appeal, the implications for organizations doing business in the U.K. are material and tangible. Should this case uphold, cyber insurance rates will skyrocket (or exclude vicarious liability).

    And because vicarious liability can be caused by an employee merely “doing their job”, it’s conceivable that someone falling for a phishing scam that results in a data breach could expose the organization to vicarious liability claims in court.

    This is a slippery slope for organizations in both the U.K. and the U.S. (as we’re beginning to see government interest in the concept of vicarious liability around data breaches). Organizations need to put controls in place that protect it from cyberattack – from the perimeter (firewalls, email/web scanning, DNS scanning), to the endpoint (AV, EDR), and all the way to the user (Security Awareness Training, Phishing Testing). It’s likely you won’t be able to stop 100% of all attacks, but the goal behind this layered security approach is to absolutely minimize the threat surface, limiting the possibility of breaches that could fall into the “vicarious liability” category.

    Find out how affordable new-school security awareness training is for your organization. Get a quote now.

     
    Get A Quote
    Request A Demo
     

     

    Return To KnowBe4 Security Blog

    Topics: Security Awareness Training, Data Breach, GDPR

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews