[BreachExchange] Law Column: The Morrisons data breach and why it matters

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 28 19:40:54 EST 2017


https://www.holdthefrontpage.co.uk/2017/news/law-column-
the-morrisons-data-breach-and-why-it-matters/

Newspapers are a gold mine of information. Externally this presents in the
form of news archives. Behind the scenes are the reams of personal
information collected and retained for stories, some of which will be
published, some which may never see the light of day.

The Data Protection Act applies to any organisation handling information
about people, so includes media organisations and the information they hold
on people they are investigating or writing about. The journalistic
exemption allows journalists to process that data with a view to
publication where there is a reasonable belief that publication is in the
public interest. However they are still required, as with any other
organisation, to take reasonable steps to protect that information.

In December, a landmark ruling in the High Court demonstrated the
increasingly high stakes of failing to prevent that information being lost.
A judge found the Morrisons supermarket group to be vicariously liable for
a mass data breach caused by the criminal actions of an employee. The case,
brought by 5,518 Morrisons employees, is the UK’s first group litigation
for a data breach.

With the GDPR due to come into effect in May 2018 and increasing awareness
of data protection rights, the case is yet another example of the expansion
of data protection as a litigation tool, highlighting the need to protect
the information you hold.

The Morrisons case

In January 2014 Andrew Skelton, a trusted and previously reliable employee,
published payroll data for around 100,000 Morrisons staff online, also
sending it to various newspapers. The data included salaries, bank account
details, national insurance numbers and dates of birth. The data was
available online for less than 24 hours, the company having taken immediate
(and apparently effective) steps to remove it from public access.

A criminal court subsequently punished Mr Skelton by imposing a sentence of
eight years imprisonment for the criminal act. Skelton had become
disgruntled following disciplinary action brought against him, which he
perceived to be heavy handed.

By 2015 Morrisons found itself faced with a claim by 5,518 in the first
group litigation of its kind in the UK, brought under the Data Protection
Act 1988, misuse of private information and breach of confidence.

On 1 December 2017, Mr Justice Langstaff found Morrisons to be vicariously
liable for the actions of its rogue employee. This was despite the court
acknowledging that the company had taken all the appropriate steps to
prevent a breach and did not know and could not reasonably have been
expected to know that Mr Skelton was so disgruntled as to pose a criminal
threat.

Protecting and retaining journalistic information

It is now widely accepted that all companies should be prepared for ‘when,’
not ‘if,’ they suffer a data breach and given the unpublished information
they hold, media organisations are obvious targets. At company level the
ICO expects appropriate technical and organisational measures to be in
place protecting data, but there are also steps every journalist should be
taking:

- Collecting information: under data protection law, information must be
obtained in a fair way. ICO guidance states that in practice this means
that there must be a journalistic justification for collecting the
information. While the ICO accepts that journalists will not always want to
notify individuals that they are investigating them, there must be a valid
reason (i.e. public interest) for not doing so.
- Retaining information: the ICO guidance states that information should be
reviewed from time to time to ensure that it is still up to date and
relevant, deleting any information no longer needed for journalistic
purposes.
- Securing information: all organisations, including media organisations,
are required to take reasonable steps to retain people’s information
securely and prevent it from being lost, stolen or misused. This means
taking steps to secure documents and electronic devices and using password
protection and encryption where possible.

With consumers becoming more and more aware of their data protection
rights, the Morrisons decision seems likely to be just the first example of
group litigation in this area. If a company can be found liable despite
having taken appropriate measures, how will a company without such a
spotless score card fare?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171228/d4c3d72b/attachment.html>


More information about the BreachExchange mailing list