[BreachExchange] The Real Threat of Vicarious Liability

Mon Apr 23 19:42:08 EDT 2018

https://www.business2community.com/cybersecurity/the-real-threat-
of-vicarious-liability-02049135

As a recent British case shows, even U.S. companies can be held responsible
if their employees commit a data breach. Here’s how to prevent that.

If an employee commits a data breach and publishes sensitive customer or
employee information, he can be held liable and prosecuted. But a recent
judgment against a U.K. supermarket chain, W.M. Morrisons, shows that the
employees’ employer can be prosecuted for the breach as well.

A few years back, a disgruntled employee uploaded the names, addresses,
bank accounts, and other personal data of 100,000 employees to a public
website. The supermarket acted quickly to pull down the information, and
the rogue employee, a senior IT auditor, was tried, convicted of fraud, and
given eight years in prison. But that wasn’t the end of the case. More than
5,000 employees filed a class action against Morrisons, claiming that the
chain had failed in its statutory duty under the Data Protection Act of
1998. In early December 2017, the United Kingdom High Court ruled in their
favor.

Well, you might say, that’s Britain. We’re an American company.

Unfortunately, that won’t protect you from vicarious liability. Under the
legal doctrine, respondeat superior (“Let the master answer,” in Latin), a
party is responsible for the acts of its agents—in this case an employee
whose action is considered within the scope of his or her employment.Not
long after the U.K. breach, my colleague Mike Tierney wrote about the
Morrisons case, warning of insider threats from disgruntled employees with
authorized access to sensitive data and systems. His intent was to prompt
organizations to focus on a very real problem.

The data breach itself was four years ago. The judgment of vicarious
liability brings a new sense of urgency. By this time, most American
organizations appreciate the risk of insider exfiltration. Some of them
must still be asking: “What do I do about it?”

Every company has aggrieved employees—people who believe they have somehow
been wronged. Maybe they’ve just had a bad review or been passed over for
promotion or a raise they think they deserved. Perhaps they’ve been
reprimanded or disciplined for an action—like the Morrisons IT guy who had
been caught selling eBay items in the company mailroom—and believe the
company treated them unfairly. Maybe they’ve just been fired.

Disgruntlement is often a marker, a known precursor to a threat of
potentially dangerous misbehavior, such as a data breach or theft.
Vengeance is a basic human impulse—not a particularly laudable one, but a
common enough response to a perception of being slighted.

How do you arrest disgruntlement before it becomes a full-blown malicious
breach?

A system to keep an eye on the actions and behavior of employees is a great
start. But while security teams can usually catch a breach after it’s
occurred, they can’t always see the early signs of trouble.

This is where HR comes in. That department is every organization’s first
line of defense because it sees and hears it all from employees. HR folks
are trained to recognize which negative workplace events—as well as
financial pressures and problems at home—may trigger some kind of
malfeasance.

But frequently, security teams aren’t clued in. They don’t necessarily know
when someone walks out of an HR office upset about something—until it’s too
late. Too often there is a disconnect between those who know something and
those who need to know it.

To minimize the danger of insider threats, HR and security have to become
better partners. They need to share relevant information about employees
and to do so in a way that doesn’t violate an individual’s privacy. It’s
the only sound reality check on those risks.

Everyone in your company needs to know there’s a new sheriff in town or, at
least, a new way of dealing with security. There’s really no other way to
protect your most valuable and sensitive information—and to protect
yourself from potentially costly litigation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180423/e1f456ac/attachment.html>