When compliance isn’t enough

As anyone reading the news will have seen, Morrisons has been found liable for the fallout from its payroll leak of 2014, where approximately 100,000 employees had their data leaked by a disgruntled insider.

What seems to have received less attention in the resulting press coverage is the court’s assessment of the sufficiency of cyber security controls around the data Morrisons holds. Justice James Langstaff deemed the controls in place to be ‘adequate and sufficient,’ but still left Morrisons holding liability for the compromise. So what happened?

The turning point for Morrisons seems to be that the compromise was undertaken by one of its own staff, leaving Morrisons exposed to what is known as vicarious liability. Essentially, the ruling states that Morrisons can be held liable for the actions of its staff in this data breach, regardless of the company’s compliance with the Data Protection Act.

Clearly this is an important decision, and it serves to highlight both the importance of addressing the insider threat, and the fact that DPA compliance does not automatically remove all risk of liabilities stemming from a data breach.

Cyber security teams need to review the impact of this decision carefully – ‘is it compliant?’ is often the benchmark people apply to data protection controls. If that has been your line until now, it may well be time to review your data protection controls, and your insider threat controls in particular.