Data security – more reasons to be on your guard

The upcoming implementation of the EU’s General Data Protection Regulation (GDPR), and complementary legislation in Guernsey and Jersey, is causing data protection issues to shoot to the top of business agendas. But a tendency to look outwards could be damaging, as a recent UK case involving Morrisons supermarkets shows.

Morrisons found itself facing a class action in the UK after a massive leak of personal payroll data of almost 100,000 employees. The leak was deliberately carried out by a disgruntled employee who’d worked for the supermarket as an IT auditor. Although he’d come into possession of the data legitimately, he leaked it with the intention of damaging the company.

Despite swift action at significant expense by Morrisons when it became aware of the leak, over 5,500 employees brought a claim against the supermarket and it was held accountable for the acts of its rogue employee.

The case was the first UK class action for a security breach, but more are likely. The fact it happened and that Morrisons was held vicariously liable emphasises that, amid the rush to become GDPR-compliant and fend off external cyber attacks, businesses must remember to look inwards too.

All organisations need an action plan which they can put into effect in the case of a data breach and make sure they’re aware of the widening circumstances in which they could be liable for the actions of their employees.

Data security certainly isn’t going to vanish off the agenda once GDPR is in force, and Morrisons is unlikely to be the last business to face a data security class action.