Supreme Court Rules on Data Breach Responsibility

In a significant finding, the UK’s Supreme Court has overturned a High Court judgment that previously held the supermarket liable for a maliciously motivated insider data breach.

As a major moment in the history of insider threat cases, the Supreme Court’s unanimous judgement clears Morrisons supermarket of the ‘vicarious liability’ being claimed against it; a case stemming from a data breach of thousands of employees’ personal data.

Costing the company a reported £2 million to rectify, the Morrisons insider threat breach occurred in 2014 and saw nearly 100,000 employees’ payroll data disseminated online. A breach which occurred as a result of a disgruntled Morrisons auditor who, holding a grudge against the company for a disciplinary matter, stole and published copies of the data with the hopes of damaging his employer’s reputation.

Malicious Insider Leaked 100,000 Employees’ Sensitive Data

The individual responsible, Andrew Skelton, was sentence to eight years for fraud, though a group of over 5,000 employees took the supermarket to court for the ‘upset and distress’ caused by the leak, claiming their employer was partially to blame for Skelton’s actions.

Originally finding Morrisons responsible for the actions of its employee, a 2017 High Court ruling was the first instance of ‘vicarious liability’ being applied to a case of misuse of information; emphasising the risk that insider threat not only poses to data security, but to organisational liability.

Responsibility for Data Breaches

Lord Reed, the president of the Supreme Court stated, “Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta.” A decision which has left 9,000 claimants, according to their legal representation “hugely disappointed”.

Though the Supreme Court has found in favour of the supermarket’s appeal, the case does set a clear legal principle that organisations can be held vicariously liable for the actions taken by an employee which result in a data breach, just not in this case.

A spokesperson for Morrisons said of the breach: “The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.”

Insider Threat

As so much sensitive data is handled by companies and the potential ease with which a rogue employee can copy such information, it’s no wonder that cases such as this are being closely watched by companies across the UK.

It may come as a surprise to some, but over 60% of organisations have experienced an insider threat. At the same time the cost of insider threats continues to rise, with an estimated 31% increase from $8.76 million in 2018 to $11.45 million in 2020.

Though in the face of a ‘personal vendetta’, as is the case with the Morrisons insider threat breach, or an attack motivated by unseen malice, it may seem organisations are without recourse, there is always more that can be done to mitigate the risk of insider threat actors; starting with robust information security awareness training.