We can recall the story of Andrew Skelton, a senior internal auditor for Morrison’s. The man who leaked information regarding nearly 100,000 of his fellow staff’s bank details, salaries and National Insurance numbers to several newspapers and data-sharing websites.
The leak has been described as the biggest in British corporate history. Mr Skelton is currently serving an 8-year sentence and pay must pay Morrison’s £170,000 in damages. This is stark contrast to the £2,000,000 the breach cost Morrison’s as of July 2015, and the further £2,000,000 the supermarket assert they spent on protective systems to prevent future breaches. There are also intangible costs to be considered, such as damage to reputation and employee morale.
November 2015 saw a Group Litigation Order granted by the High Court with a cut off-date of the 8th April 2016 for those who wanted to join in the claim for damages. This was based on the assertion that Morrison’s could have done more to prevent the leak, and financial loss caused. It is estimated that over 6,000 current and previous employees have joined the action.
Morrison’s have attempted to rubbish claims that they are responsible for the actions of a ‘rogue individual’. They state that they are unaware of anyone suffering any financial loss because of the data leak.
Comment
This matter shows of the potential ease in which data leaks can occur if adequate protection measures are not implemented. It also highlights the potential circumstances in which leaks may wholly be out of the holder’s control. While encryption and certain security measures may be implemented to hinder employees like Mr Skelton from uploading information online, they do not provide absolute protection from data leaks.
In the event a data leak does occur, there should be provisions in place in order to respond; a data breach procedure could be put in place as part of a wider data protection framework.
In their “Second Annual Data Breach Forecast” Experian noted that employee mistakes; whether in error, or as in the case of Mr Skelton, malicious, are a company’s biggest threat.
With the date in for the General Data Protection Regulation set for May 2018, now would be a good time to review your businesses data protection practices.
Please contact us for further information.