Security Experts:

GDPR Conformance Does Not Excuse Companies from Vicarious Liability

The UK supermarket chain Morrisons' legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU's General Data Protection Regulation (GDPR).

In 2014, a Morrisons internal audit employee, Andrew Skelton, stole and disclosed personal information (including names, addresses, bank account, salary and national insurance details) on almost 100,000 Morrisons employees. The difference between this and most 'insider' threats is that Skelton had legitimate and trusted access to the data.

Morrisons acted quickly to prevent further losses, and caught the perpetrator. He is currently serving an eight-year jail sentence. Affected employees, however, subsequently joined together in a group (class) action against the supermarket for the disclosure of their information and subsequent distress.

Morrisons has always denied corporate responsibility. It claims the action was that of a rogue employee targeting it, rather than the employees, and that it has sufficient data protection controls to satisfy data protection regulations. To a degree, this is confirmed by the UK data protection regulator, the ICO, deciding not to take regulatory action against Morrisons over the breach.

Nevertheless, the class action went to court. On December 1, 2017, Morrisons was cleared by the High Court of direct liability for the breach (it had not breached any relevant data protection legal principles). The law at the time was the Data Protection Act 1988, the pre-cursor of the Data Protection Act 2018 (GDPR). However, the court also held that Skelton's actions, as an employee of Morrisons, exposed the firm to vicarious liability outside of the data protection law.

Morrisons appealed. On October 22, 2018, the Court of Appeal unanimously rejected the appeal. Now Morrisons has been formally granted permission to appeal to the Supreme Court. It would be wrong to second-guess the outcome of the final appeal -- but two courts have already found against Morrisons. The claimants' lawyer is confident that that the Supreme Court will reject this second appeal, saying, "we have every confidence that the right verdict will, once again, be reached."

If the Supreme Court does reject the appeal, then companies will need to reconsider their existing GDPR controls. The High Court suggested that insurance might be a route to limit financial liability, but cyber insurance is still a nascent industry and its ability to handle vicarious cyber liability is not yet tested. So, while insurance might provide an additional layer of security, it should not be relied upon. And it is likely to be expensive. 

"If vicarious liability is expanded to include all employees," Venkat Ramasamy, COO of FileCloud, told SecurityWeek, "then the cyber insurance rates will hit the roof (already they are quite high). Currently, the rates are approximately $4,000 to $8,000 for one million insurance."

All U.S. companies operating in the UK -- and potentially in Europe -- will need to consider the implication of vicarious liability. But it also applies within the U.S. There seems to be a growing interest in vicarious liability within government agencies. In a franchise case in 2015, the FTC urged the courts to impose vicarious liability against Wyndham Hotels over data breaches within its franchisees. 

"I believe that if a similar action were to be litigated in the U.S. and was successful," comments Terence Jackson, CISO at Thycotic, "companies would have to take note and implement more stringent controls around data security. As states begin to draft their own rules in regard to data privacy and ownership, companies would be wise to review their cyber insurance policies and assess current controls they have in place to detect and prevent this type of data loss."

"The implications of this type of action are huge," said Etienne Greeff, CTO and co-founder, SecureData; "if businesses can be held accountable for the actions of rogue employees acting criminally, then we will have to treat all our employees as malicious threat actors -- which is a huge thing to consider and could have momentous repercussions across the globe in all industries."

"There's no way to know for sure until we see more rulings," comments Francis Dinha, CEO of open source security provider OpenVPN, "but companies do need to prepare for the possibility that they might be liable in all future data breaches, regardless of employees' intent or actions. In any case, it's always best to prepare as if you'll certainly be liable -- why wouldn't you err on the side of caution? Companies need to take responsibility for their data and do whatever they can to keep it safe. That's the bottom line, whether they're liable or not -- they should be intentional about their cybersecurity at every level."

The 'insider' threat is a known and understood threat. Mostly, however, security controls are designed to detect and prevent staff doing what they shouldn't. The vicarious liability threat takes this to a different level. The threat is not someone doing what they shouldn't, but doing what they should do in a malicious manner -- even if it is the company and not employees who are primarily targeted. It requires a zero-trust approach even in areas where trust is expected.

Related: The (Re-)Emergence of Zero Trust 

Related: 5 Questions to Help Chart Your Course to Zero Trust Security 

Related: Insider Threat: Common Myths and Misconceptions 

Related: Insider Threats: Protecting Ourselves From Ourselves

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.