Blog

In a ‘life goes on’ sort of way, the stories of two of the higher profile corporate data breaches in recent times have been updated – one in precedent-setting favor of the retailer concerned, one with a horrible sense of deja vu for the hotel chain involved.

The first involves UK supermarket chain Morrison’s. Back in 2013, the firm admitted to losing the bank account details of 100,000 of its own staff and finding them published on the internet in a massive data hack that grabbed names, addresses, bank account numbers and salaries of employees across the business – including board members.

The breach came about in 2013 when a senior auditor in Morrisons audit team, Andrew Skelton, stole a copy of firm’s payroll data from the company. The data had been legitimately requested by external auditors KPMG, but when Skelton accessed and downloaded it to pass it over, he made a copy for himself on a USB stick.

The following year the stolen data was uploaded to the web and copies sent to three UK newspapers to flag the breach up. Skelton was arrested shortly after and charged with data theft, for which he was sent to prison for 8 years in 2015. At his trial, his actions were blamed on a grudge against Morrisons management after he was accused of dealing ‘legal highs’ in the workplace.

For its part, Morrisons then found itself on the receiving end of a class action suit, alleging that it was vicariously responsible for the breach occurring by dint of having allowed Skelton access to the data in the first place. The case was brought on behalf of 9,263 claimants from across Morrisons workforce, both current and former employees.

Given that Skelton was part of the company’s internal audit team, the retailer countered that accessing such data was part and parcel of his responsibilities. Its legal team argued that the firm could not be held responsible for personal grievances nurtured by its employee.

Despite this, the firm was found to be vicariously responsible for the data theft in a High Court hearing, a ruling which was subsequently challenged by Morrisons, but upheld by three appeal court judges before making its way to the UK Supreme Court. Morrisons has now been cleared of the charge of responsibility.

In the Supreme Court ruling this week, the court determined that Skelton had been pursuing a personal vendetta:

In the present case, it is abundantly clear that [Skelton] was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.”

As such, Supreme Court President Lord Reed said:

The circumstances in which Skelton committed wrongs against the claimants were not such as to result in the imposition of vicarious liability upon his employer. Morrisons cannot therefore be held liable for Skelton’s conduct. It follows that the appeal must be allowed.

Reaction

In response to the ruling, Morrisons said in a statement:

The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.

We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he’s been found guilty of this crime and spent time in jail. A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft.

We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged. In fact, we’ve seen absolutely no evidence of anyone suffering any direct financial loss.

Why does this matter to anyone other than Morrisons management and shareholders? The broader issue at stake was whether an organization can be held responsible-  or to what extent it can be held responsible – for the actions of employees? Are they accountable if the criminal act conducted by a staffer is a simple act of malice and not a direct consequence of their actual employment by the organization? In other words, how far does an employer’s liability extend? If it was judged that an employer is ultimately responsible for all of its employees actions, then the risk, compliance and cost implications would be enormous.

But while employers will breathe a sigh of relief at the precedent set by the Supreme Court – although there are caveats here -, the ruling obviously comes as a disappointment to the claimants. Their legal representative Nick McAleenan, a Partner and data rights specialist at JMW Solicitors, said:

The Supreme Court’s decision now places my clients, the backbone of Morrisons’ business, in the position of having no legal avenue remaining to challenge what happened to them.   My clients are of course hugely disappointed by the decision, which contradicts two earlier unanimous findings in their favour.

The Supreme Court effectively decided that where a wrongdoer leaks data with the specific intention to harm their employer, the employer may not be held vicariously responsible. The claimants, of course, respect the decision, but the troubling part of this conclusion is that the wrongdoer in this case also wanted to damage his own colleagues, not just Morrisons, and he did so in dramatic fashion.

But there is a positive aspect to be found, he added:

Importantly, the Supreme Court also ruled that the claimants had won part of the appeal. For the first time, the Supreme Court has established the legal principle that employers can now be legally responsible for data breaches caused by their employees – under the law of vicarious liability. This is very significant because most data breaches are caused by human error. This ruling enhances the protection of data for millions of people in this country who are obliged to hand over their own information to businesses every single day. It will raise standards.

Marriott…again?!? 

Meanwhile the Marriott International hotel chain has put its hands up to another massive data breach. This time it’s warning that the contact details, loyalty account numbers and other personal information of an estimated 5.2 million customers may have been exposed by cyber criminals using the login credentials of two employees at a franchise property. In a statement, the firm confessed:

At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.

As to how this incursion could have occurred:

Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.

This latest incident follows the massive 2018 hack of the central reservation system of Marriott’s Starwood subsidiary, exposing the personal data and records of 500 million guests. It was later identified that the system had been vulnerable since 2014, prior to Marriott’s acquisition of Starwood Hotels in 2016. 

Nonetheless, the UK Information Commissioner’s Office fund that Marriott was guilty of insufficient due diligence during the acquisition and “should have done more to secure its systems”. It fined Marriott £99.2 million in July last year, one of the first big GDPR penalties. While the Marriott incident began before GDPR came into effect, the firm’s failure to discover and disclose the breach until after GDPR was adopted resulted in the fine.

My take

This latest Marriott breach is, on the face of it, less serious than the 2018 one, but to have to confess to one incident is unfortunate, to have to confess to two looks like…well, I’d not be keen handing over my personal details without a lot of reassurance that Marriott is upping its security game. This is an evolving scenario and we’ll doubtless return to it as learnings unfold.

On the other hand, the Morrisons ruling brings a welcome end to an extended period of uncertainly about legal precedent. It also reminds us of a security cliche that I’ve had drummed into me my entire career – the greatest vulnerability is a human being, never mind a human being with a grudge.

It will be interesting to see how many organizations now try to turn to the Morrisons ruling in an attempt to mitigate their own responsibilities in the coming months. It should be noted that the Supreme Court has left open the possibility of an employer being vicariously liable in other, non-grudge centered, circumstances. London-based law firm Osborne Clarke sums it up well:

[The ruling] reaffirms that where employers can demonstrate that they have complied with their own obligations as a data controller, they will not be liable for the acts of employees that are carried out for their own personal motives outside of their duties.

However, the risk of vicarious liability remains. Employers need to be especially vigilant of the roles of responsibility of those entrusted to access and protect personal data and keep such privileges under constant review, particularly if employees fall under suspicion.

Whilst most data breaches are caused by external attacks or inadvertent human error, deliberate thefts or leaks of data by employees are increasingly common, and we have seen the Information Commissioner’s Office becoming more active in the criminal prosecution of such actors.

In other words, the ruling is certainly not a ‘get out of jail free’ card. The data privacy and data protection responsibilities laid down by law remain unchanged. Any enterprise that takes the Morrisons ruling as an expedient fall back if some GDPR shortcoming is exposed is on a hiding to nothing.