So far, the courts say yes, but that could change.
If one of your employees stole all the personal data held by your business and then sold it on the dark web, should you be held responsible for their actions?
On the face of it, you might expect the answer to be a resounding ‘no’, but it’s not that simple. Organisations that process data have a legal duty to protect it, and they can be fined significant sums by the Information Commissioner’s Office if they let it fall into the wrong hands.
As things stand, this includes data that is stolen by rogue employees, and the only thing that is likely to change that is a Supreme Court case brought by the supermarket chain Morrisons. Since late 2017, it has been fighting a High Court ruling that held it vicariously liable for the actions of Andrew Skelton, an internal auditor at the firm’s head office, who stole the data of around 100,000 Morrisons employees and leaked them online in 2014. Skelton, who held a grudge against the company over a previous incident, was eventually jailed for eight years, but Morrison’s found itself on the hook too.
As you’d expect, Morrison’s appealed, but in October 2018, that was rejected, so the company took the fight to the Supreme Court, where it is now being heard. If Morrisons loses this case, it will have to pay compensation to all the affected employees – an action which it is has thus far avoided and which could be extremely costly.
Far from being a decision that only affects Morrisons, how the Supreme Court rules in this case will have far-reaching ramifications for very business, every charity, every public sector organisation and every club that holds personal data.
If the court finds in favour of Morrisons, it will set a precedence that may essentially act as a get-out clause for organisations if a rogue employee steals data. This could significantly weaken data protection laws, and it wouldn’t provide any encouragement for organisations to protect data from insider fraud.
If the decision goes the other way, then any organisations that handle data will have to think very carefully about how can they prevent rogue employees from committing this kind of fraud.
It might seem unfair to blame businesses for what their employees do. After all, how can they prevent individuals from going rogue? But there are, in fact, things you can do to protect data from being misused in this way.
In the Morrisons case, the data was loaded onto a USB storage device by Skelton, taken home and uploaded to the dark web. By disabling USB storage devices on your computers, you can block off at least one potential weak spot.
With device management solutions such as Microsoft Intune (part of Microsoft Enterprise Mobility + Security), it's possible to limit access to your network only to devices that you approve. That means only the phones, tablets, laptops and PCs you choose to allow. Furthermore, you can determine what apps those devices can install and run, and you can make certain security settings a prerequisite for access.
Automated network monitoring can help to identify suspicious file transfers, which might otherwise be missed. It can also aid you in rooting out devices that don’t have adequate security, and which could therefore potentially be used by a rogue employee to get data off site.
One good way to discourage rogue activity is to use some kind of document tracking solution. What this will do is keep a record of any changes to documents, as well as whenever anyone accesses or shares them. This is also a feature of Enterprise Mobility + Security
There are no excuses for engaging in criminal behaviour, of course, but businesses aren’t doing themselves any favours if they mistreat staff or allow resentment to grow among them. Keeping employees happy and making them feel valued will encourage loyalty, which reduces the chance of insider fraud.