Connect with us

Hi, what are you looking for?


Cyber Insurance

GDPR Conformance Does Not Excuse Companies from Vicarious Liability

The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).

The UK supermarket chain Morrisons’ legal battle with 5,500 of its own employees over vicarious liability introduces a new threat element to the already complex and confusing demands of the EU’s General Data Protection Regulation (GDPR).

In 2014, a Morrisons internal audit employee, Andrew Skelton, stole and disclosed personal information (including names, addresses, bank account, salary and national insurance details) on almost 100,000 Morrisons employees. The difference between this and most ‘insider’ threats is that Skelton had legitimate and trusted access to the data.

Morrisons acted quickly to prevent further losses, and caught the perpetrator. He is currently serving an eight-year jail sentence. Affected employees, however, subsequently joined together in a group (class) action against the supermarket for the disclosure of their information and subsequent distress.

Morrisons has always denied corporate responsibility. It claims the action was that of a rogue employee targeting it, rather than the employees, and that it has sufficient data protection controls to satisfy data protection regulations. To a degree, this is confirmed by the UK data protection regulator, the ICO, deciding not to take regulatory action against Morrisons over the breach.

Nevertheless, the class action went to court. On December 1, 2017, Morrisons was cleared by the High Court of direct liability for the breach (it had not breached any relevant data protection legal principles). The law at the time was the Data Protection Act 1988, the pre-cursor of the Data Protection Act 2018 (GDPR). However, the court also held that Skelton’s actions, as an employee of Morrisons, exposed the firm to vicarious liability outside of the data protection law.

Morrisons appealed. On October 22, 2018, the Court of Appeal unanimously rejected the appeal. Now Morrisons has been formally granted permission to appeal to the Supreme Court. It would be wrong to second-guess the outcome of the final appeal — but two courts have already found against Morrisons. The claimants’ lawyer is confident that that the Supreme Court will reject this second appeal, saying, “we have every confidence that the right verdict will, once again, be reached.”

If the Supreme Court does reject the appeal, then companies will need to reconsider their existing GDPR controls. The High Court suggested that insurance might be a route to limit financial liability, but cyber insurance is still a nascent industry and its ability to handle vicarious cyber liability is not yet tested. So, while insurance might provide an additional layer of security, it should not be relied upon. And it is likely to be expensive. 

Advertisement. Scroll to continue reading.

“If vicarious liability is expanded to include all employees,” Venkat Ramasamy, COO of FileCloud, told SecurityWeek, “then the cyber insurance rates will hit the roof (already they are quite high). Currently, the rates are approximately $4,000 to $8,000 for one million insurance.”

All U.S. companies operating in the UK — and potentially in Europe — will need to consider the implication of vicarious liability. But it also applies within the U.S. There seems to be a growing interest in vicarious liability within government agencies. In a franchise case in 2015, the FTC urged the courts to impose vicarious liability against Wyndham Hotels over data breaches within its franchisees. 

“I believe that if a similar action were to be litigated in the U.S. and was successful,” comments Terence Jackson, CISO at Thycotic, “companies would have to take note and implement more stringent controls around data security. As states begin to draft their own rules in regard to data privacy and ownership, companies would be wise to review their cyber insurance policies and assess current controls they have in place to detect and prevent this type of data loss.”

“The implications of this type of action are huge,” said Etienne Greeff, CTO and co-founder, SecureData; “if businesses can be held accountable for the actions of rogue employees acting criminally, then we will have to treat all our employees as malicious threat actors — which is a huge thing to consider and could have momentous repercussions across the globe in all industries.”

“There’s no way to know for sure until we see more rulings,” comments Francis Dinha, CEO of open source security provider OpenVPN, “but companies do need to prepare for the possibility that they might be liable in all future data breaches, regardless of employees’ intent or actions. In any case, it’s always best to prepare as if you’ll certainly be liable — why wouldn’t you err on the side of caution? Companies need to take responsibility for their data and do whatever they can to keep it safe. That’s the bottom line, whether they’re liable or not — they should be intentional about their cybersecurity at every level.”

The ‘insider’ threat is a known and understood threat. Mostly, however, security controls are designed to detect and prevent staff doing what they shouldn’t. The vicarious liability threat takes this to a different level. The threat is not someone doing what they shouldn’t, but doing what they should do in a malicious manner — even if it is the company and not employees who are primarily targeted. It requires a zero-trust approach even in areas where trust is expected.

Related: The (Re-)Emergence of Zero Trust 

Related: 5 Questions to Help Chart Your Course to Zero Trust Security 

Related: Insider Threat: Common Myths and Misconceptions 

Related: Insider Threats: Protecting Ourselves From Ourselves

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.