This week a trial is ongoing in the High Court which many data protection professionals and in-house lawyers are watching carefully. It is part of a class action by the employees of Morrisons (the supermarket chain) who were affected by the exposure of their payroll data in 2014 by a former colleague with a grudge; and this particular legal action is about the extent of Morrisons’ liability for the criminal actions of their rogue employee.
The former in-house auditor in a senior role, Andrew Skelton, was jailed for 8 years in 2015 for fraud, computer misuse and data protection offences. He copied the company’s payroll information and deliberately published it online out of revenge for a disciplinary investigation.
While Skelton’s actions were illegal, malicious and motivated by the desire to cause damage (to his employer, rather than his colleagues), the question is whether Morrisons had put enough controls in place to prevent unauthorised access and misuse of employees’ data. Both the Data Protection Act, which was in force at the time and the GDPR, which will be significant for future breach cases; require a Data Controller to put in place “appropriate technical and organisational measures”. To protect personal data against theft, loss, damage, misuse or exposure – it is this requirement which will be the focus of the current trial.
What is “Appropriate”?
The fact that there was a breach at all does not necessarily mean that security measures were therefore not adequate. As any intelligence agency knows, there is very little that can be done to prevent a trusted insider from abusing their position if they are really determined to cause damage. However, on the other hand, that doesn’t mean adopting a fatalistic attitude and not bothering with data protection at all. The grey-shaded middle ground is what will be tested in this case.
The data protection law does not give prescriptive lists of technologies or approaches to information security, but leaves it up to the Data Controller and Data Processor. It is down to them to decide their approach, based on the sensitivity of the data or systems, the potential impact to the data subjects and the current technologies available. Data protection does not require psychic powers to predict and control the future, but it does require analysis, planning, monitoring and response to information security issues.
Technical controls can be of use in managing information risk, provided that they are carefully considered and monitored.
For example: as a senior auditor for the organisation, it is likely that Skelton would have a legitimate reason to access the payroll database at times – but that doesn’t mean he would have needed unrestricted access at all times. Access to systems containing confidential data should be provided on a limited and ‘need to know’ basis only.
It is difficult to think of a scenario where an auditor would need to copy the payroll database to removable media. Perhaps this functionality should have been disabled, or security systems set up to trigger an alert when such activity is detected.
These technical controls are easy to specify in an abstract discussion but much more difficult to implement in real life. Sometimes the resources and cost of security controls cannot be justified when the risk that they mitigate is unlikely to ever occur. The question will be whether these controls were considered at all and a rational risk-based decision made on their value. If Morrisons can prove that they were actively monitoring information security risks, were taking decisions about data protection based on analysis of impact and likelihood, then they will have a stronger case in their defence.
Action point: It’s impossible to eliminate all information security risks, so decisions about prioritisation and risk tolerance need to be made and continually re-evaluated. Your organisation should monitor data protection risks and make informed decisions about how to respond. Making sure these risks and decisions are documented is a key part of the GDPR Accountability Principle.
As well as technical controls, the human factor is significant as well. Policies which exist on paper to satisfy auditors but are not adhered to in practice (which would be rather ironic if this were the case at Morrisons), are of little value when reality bites. Many organisations struggle to reconcile workplace culture and working practices with the restrictions and requirements of their formal policies. In an environment where policy violations occur frequently and unremarkably, there may be a ‘slippery slope’ effect where unacceptable behaviours become commonplace. If Morrisons had clear, fit-for-purpose policies around access to data, use of IT systems and acceptable behaviours (which were implemented effectively with compliance checks and appropriate remedial action for violations) then their position is strengthened.
Action point: Check that policies and procedures truly support business operations and practices. Update them if they are overly restrictive or permissive. Carry out regular checks to ensure that staff are familiar with the content and are applying that information in their day-to-day working. Make sure that incidents are reported, investigated and appropriate action is taken – this is not necessarily a disciplinary process but may require education about risk, compliance and acceptable behaviours instead. However, it is important to bear in mind that tools and processes to monitor behaviours can be costly, may be of limited value or become a liability if wrongly configured. The tool or process itself undermines data protection (such as excessively intrusive monitoring of employee activities).
Whatever the outcome of this trial, it has raised awareness of what information security folks call “insider threat”. It will likely demonstrate that although preventing all incidents is not really possible, making (and keeping records of) reasonable efforts of information security is definitely necessary – because one day you may be required to prove that you did.