The purpose of this article is to summarize the lessons that a company can learn from the Morrisons Case with regard to the level of protection that can be considered as “sufficient” and “adequate” for the protection of the personal data of their employees. [1]

In our daily practice, our clients are more often than not perplexed by the requirements that we consider as appropriate to protect the personal data processed within the employment relationships -and sometimes also before an employment relationship is actually established- as they consider that employee and applicant data can be protected by far less zealous controls.  The Morrisons case, however, shows not only that companies need to guarantee the security, confidentiality and availability of their employees’ data by implementing the most stringent technical and organizational measures, but also, that the employer could be held liable for the wrongdoing of one of its employees with regard to the personal data that they (the company) are bound to protect.

The class action raised by 5.518 claimants -Morrison’s employees- raised the question of whether an employer is liable, directly or indirectly, for the criminal actions of an employee in disclosing personal information of co-employees on the web.

The facts

On 12 January 2014 a file containing personal details of 99,998 employees of “Morrisons” was posted on a file sharing website. Shortly after that, links to the website were also placed elsewhere on the web. The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary information.

On 13 March 2014, a CD containing a copy of the data was received by three newspapers in the UK.  The person sending the CD did so anonymously, purporting to be a concerned person who had worryingly discovered that payroll data relating to almost 100,000 Morrisons employees was available on the web. It gave a link to the filesharing site. The information was not published by any of the newspapers concerned. Instead, the Bradford Telegraph and Argus told Morrisons of it. There was immediate concern. The most senior managers within Morrisons were concerned that the information might be used by outsiders to access the bank accounts of individual employees or used to aid identity theft. It could enable intending fraudsters to phish for the additional information to enable dishonest access to the employees’ bank accounts, take out loans, or make purchases under an assumed identity. This was a serious risk.

Morrisons’ head management was alerted to the disclosure on 13 March 2014. Within a few hours, they had taken steps to ensure that the website had been taken down. Such links as there were to the file sharing website from other sites were then no longer effective in helping a searcher to discover any personal data. Morrisons also alerted the police. It was rapidly established that the data, in the quantity and style in which it was presented, had almost certainly been derived from data held centrally by Morrisons in relation to its employees.

Only a limited number of employees had been permitted access to the whole of this data, which was held in a supposedly secure internal environment created by proprietary software known as “PeopleSoft”. It was possible to tell when the data had been extracted by comparing the disclosed material with the database: the times that entries were made into the database or deletions made from it were automatically logged. It was possible by this process to show that the data held in PeopleSoft had been copied during the afternoon of 14 November 2013. It was then also possible to show that at that time one of the “super users” (the name for people who had access to the whole of the PeopleSoft database) had extracted data corresponding to that disclosed by means of an SQL (structured language query) within the time period during which the data containing the information disclosed must have been copied. This person was arrested on 17 March 2014. Another employee – an investigator – was also identified as a suspect. This was because his initials and date of birth appeared in the user name adopted for the account which had been used in January 2014 to post the data file onto the internet. It very quickly emerged that the first persona was not responsible for disclosing the file to the web, and that where the initials and date of birth of the investigator had been used this was in a deliberate attempt to frame him. He too was completely innocent.  On 19th March, Andrew Skelton, a Senior IT Auditor in Morrisons’ employment, was arrested. He was charged with an offence under the Computer Misuse Act 1990 both of fraud and under Section 55 of the Data Protection Act 1998, tried at Bradford Crown Court in July 2015, and convicted. He was sentenced to a term of 8 years imprisonment, which he still serves.

The data leak preparation in detail

On 1 November 2013, the external auditor of Morrisons, KPMG, requested a number of categories of data from Morrisons. This was held in different places. It was convenient that the data be collated before transmission to KPMG. The request came to Mr A. In previous years Mr A had been charged by Mr B, head of the team, with arranging for the transmission of such data to the external auditor. Mr A delegated the task in 2013 to Skelton, one of the two or three internal auditors who reported to him, just as he had delegated an identical task to Skelton  in 2012. Skelton in turn sent an email request to Mr. C of the HR department, who had super-user access to PeopleSoft. He in turn delegated the task of extracting a copy of the data, by means of an appropriate SQL query, to another employee. On 14 November, such employee obtained an electronic copy of the data. This was in the late afternoon. He attempted to email the data internally to Skelton. The transfer would have been secure if the internal email system had been able to cope with the transfer of a data file of that size. It was not. So, the email “bounced back” to that employee’s computer. Accordingly, the next day he copied the data from his computer onto a USB stick. The USB was encrypted (personal USB sticks were not to be used; a limited number of USB sticks were made available to senior employees, obviously for the transfer of data, and all were encrypted.  He took the USB stick personally to Skelton at his laptop computer, which was itself encrypted. He was present while the data was downloaded from the stick onto the computer. Skelton was supplied with a separate USB stick, from KPMG, encrypted by it, onto which he later copied the data. He had the task of collating the payroll data and other data which had been requested by KPMG, which was not itself held on the PeopleSoft system. For that reason, the payroll data was not sent immediately to KPMG, but remained stored for the time being on Skelton’s computer. On 18th. November 2013 an unknown USB device was inserted into Skelton’s work laptop. Various files which included the pay roll data and the file later uploaded to the file sharing website were deleted from the same USB on 12 March 2014, using Skelton’s personal computer to do so.

The next incident of note before the uploading of the data to the file-sharing website was on 16 December 2013. Skelton attempted to access the TOR website from his work laptop. This was unknown to Morrisons until after it had come to light that the employee details had been placed in a file on a file sharing website and copied to national and local newspapers, on respectively 12 January and 13 March 2014.

The system within which the data leak was perpetrated

The payroll data was held on the PeopleSoft system.  Employees had access to their personal details; managers had access to theirs and to those of the employees who reported directly to them. 22 “super users” had unfettered access to the data.  The judge in the Morrisons case noted that “the existence of any one super user inevitable posed a risk that the person might deliberately or inadvertently disclose data unlawfully”.

The case proceeded, however, on the basis that, because access was limited and use of the data could be tracked, the system was appropriately secure.

The Chief Information Security Officer of Morrisons told the judge in the case that “He saw his role as to assist the data controller (Morrisons) to manage such risks in its operations through the application of appropriate and otherwise proportionate controls. He recognized that the hardest vulnerability to guard against was that of a person with authorized access behaving in a criminal manner.”

Paragraph 79 of the judgement expresses the view of Judge Langstaff with regard to the system: “In summary, in any system which permits human access to data there are inevitably risks that that data might be mis-processed, mishandled, or even disclosed without authority. The evidence is that Morrisons took precautions to prevent that so far as they could by limiting access to a few trusted employees only. I am satisfied that the data was protected by restrictions on access, and there were sufficient internal checks available to see which of the few authorized super users had access to the data any more generally than to inquire about their own particulars.”

The data transmission chain

The process which led to the disclosure by Skelton involved the transfer to him of data.

From judge Langstaff’s perspective, “to extract data from the PeopleSoft database, and store it temporarily on the work laptop of an internal auditor left that data no less secure than it had been while held in PeopleSoft. That is because such a laptop was itself encrypted, and in addition accessible only to one person – he or she who held the encryption key (…) the transfer from Michael Leighton to Skelton was secure: the USB was encrypted, and Mr. Leighton took the USB away with him after transfer, which he saw taking place. Moreover, even if the method of transfer had been insecure there is nothing in this case to suggest that that in any way caused the unauthorized disclosure of information contained in the data onto the web in January 2014. I accept that storing the data upon a collator’s individual computer, whilst all the data subject to the request from the various sources was collated there, was a sensible system and necessary to provide for an effective audit, enabling the auditors at KPMG to raise queries as to any of the data, and to channel them through one contact. The data so held would, on an encrypted work laptop, be secure. The transfer from a collator of information by downloading it onto a USB stick provided by KPMG and encrypted by them equally gave rise to a risk of data corruption or leak which was merely minimal (Par. 81) As to the deletion thereafter, I accept that data had to remain on the work laptop of the collator for a sufficient period to enable any potential requests for further information from the external auditor to be serviced. Since the work of audit was likely to be completed by early December I would not have considered it unreasonable for that data to have remained on the laptop of the collator concerned until then. (Par. 82) It follows that, seen in broad overview, and save for two matters, namely the identity of Skelton himself as the recipient of the information, and the question of whether in his case deletion from his computer should have been more carefully checked, there was no failure of Morrisons to provide adequate and appropriate controls.”

The “human factor”: should Morrisons have entrusted Skelton with the data?

In order to determine if Skelton was trustworthy, in particular in view of his role as internal auditor having access to employees personal data and even data that could be termed as sensitive and confidential, the Court analyzed the circumstances of the appointment of Mr. Skelton and his trustworthiness -from the perspective of his superiors- before and after an incident that lead to a formal sanction by Morrisons that was, allegedly, the incident that lead him to perpetrate the data leak.  It is worth mentioning that the Court examined at this point, whether or not the employer, Morrisons, had been sufficiently diligent in determining if Mr. Skelton was sufficiently trustworthy as to be allowed to process the personal data for which he had been made responsible of by his superiors.

It is important to note that Judge Langstaff called the attention to the fact that the data transfer from PeopleSoft to KPMG  “relied critically upon trust being placed in individuals” and continues to ask if there should have been a failsafe system that could have avoided the data leak, for example, a double key system where two different individuals would have had to introduce a code to allow the access to the data.  From our perspective, companies shall ask themselves if they are “relying critically” on trust placed on individuals to protect the personal data that they’re responsible for.

Accessing the TOR network: should employees’ access to the Internet be monitored?

The claimants suggested in the claim that Morrisons should have known that Mr. Skelton was trying to research the TOR network.

With regard to this point, it was described that Morrisons have an external facing firewall which is connected directly to the internet. This is known as the “red side”. A second firewall protects Morrisons’ internal network (the “green” side). Between the two is what is known as a “demilitarised zone” or “DMZ”, which can be accessed from the internet but which has very limited access to Morrisons’ internal systems, which are protected by the second firewall. An intrusion detection system detects patterns of activity which might indicate a potential attack from the red side. Morrisons also operate a Bluecoat server which is a proprietary web filtering proxy. This restricts the sites which staff may access. It captures all requests for internet sites made by someone logged on to the internal Morrisons network, and at the same time maintains a list of restricted websites by reference to categories (e.g. pornographic material). If a request is made for access to a restricted site, the system effectively blocks that access.  Morrisons maintain a huge list of restricted sites and update this regularly. One restricted category is “proxy avoidance”. This concerns access to those sites which enable individuals to by-pass the restrictions imposed by Bluecoat by accessing the internet by a website proxy. The TOR network is one such proxy avoidance site, and is listed on Bluecoat as such. However, only an authorized IT administrator (which Skelton was not) could (and can) install such software on a work laptop.  So, according to this evidence, there is indeed a way in which an IT administrator could have installed such software and produced the data leak from a work laptop.

As to whether Morrisons ought to have detected that Mr. Skelton had researched or attempted to research the TOR network using Morrisons systems, there was no system enabling Morrisons automatically to detect when employees might be using the system to research the TOR. Nor do Morrisons have such a system in place today. The Bluecoat server keeps a record of every website request made by the end user. Thus, if an authorized person wishes to know what an individual employee has attempted to look at on the internet at work, it is technically possible to get Bluecoat to provide a list. This is not done routinely, but only ever if there is an issue with a particular employee such that the business feels it to be necessary and appropriate to review that employee’s internet usage. Nor would it be common practice in organizations similar to Morrisons routinely to scrutinize employees’ web access requests: one of the responsible people said that he had never in his career come across an organization which carried out on-going active monitoring of internet searches in order to flag up search material which might be regarded as suspect. In any event, it would be necessary to identify what term was to be subject of the search. To search for such as “TOR” is hopelessly unspecific, for the sequence of 3 letters constituting the acronym appears in a vast number of entirely innocuous longer words.  Also, even if the research had identified that Skelton had searched for information about the TOR network, it would not in itself indicate his unsuitability to be a recipient of payroll data for onward transmission: rather, as an internal IT auditor it might be thought to be a legitimate part of his role, or merely curiosity.

Moreover, routine monitoring would almost undoubtedly be seen as invasive, and would require a justification on an individual basis before it could properly be conducted, as decided in  Barbulescu v Romania (application 61496/08) [2017] ECHR 754 on 5 September 2017.

In the present case, Morrisons had alerted employees through the Morrisons Employee Handbook that it monitored the use of all systems and equipment: “to ensure our business is conducted appropriately, including:

  • to establish facts where the content of the communication is disputed;
  • to investigate and detect usage in breach of our policies;
  • for training purposes;
  • for preventing and detecting crime;
  • to ensure the effective operation of our systems;
  • we will not read all your correspondence, however if an anomaly of concern is found we will investigate this thoroughly.

Judge Langstaff elaborates then on the fact that even if implementing a system that could proactively have detected that Skelton was researching the TOR network when he did was feasible, if introduced, “it would have been difficult to justify since it would most probably amount to an unlawful interference with employees’ rights to privacy and family life, with little by way of balancing factor to suggest otherwise.”

It’s worth reflecting on the fact that, even in a case like this one, where the data of thousands of employees from Morrisons was leaked by an angry employee, the examination of the facts would have judged the use of monitoring systems that proactively detect the websites that employees are visiting or that in any other way could be considered intrusive, as “difficult to justify”.

The matter of the USB stick

As per the transmission of the data through an USB stick, it’s worth mentioning that the fact that the USB was encrypted was decisive for Judge Langstaff to decide that it was a secure way of transmitting a large quantity of data internally from one secure site to another.

Data Deletion

According to Judge Langstaff’s findings, no one made sure that the data had been deleted by mid-December -which would constitute a reasonable time period as the KPMG audit was to be conducted at the beginning of December. It’s worth noting also that Mr. Skelton’s superior, when asked about this particular, explained that Mr. Skelton, a Senior auditor, was expected to delete the data after a short while and to “manage data responsibly”.  No organized system was in place, however, to guarantee the deletion of the data stored outside of a secure repository (in this case, Peoplesoft).  Here is where Judge Langstaff finds that Morrisons fell short: they took a risk that could have been prevented by implementing appropriate technical and organizational measures that are neither too difficult, nor too onerous to implement.

Although this fact doesn’t turn out to be decisive for Judge Langstaff decision -as the data could have been copied into a personal USB even if it remained for one day in Skelton’s laptop- it’s important to note that the technical and organizational measures implemented to guarantee appropriate retention and deletion periods can indeed turn out to be decisive in the determination of responsibilities in a data leak incident.

On how vicarious (indirect) liability was established

On his examination conducting to the determination of vicarious liability, Judge Langstaff considers that the Data Protection Act, “shall be seen in its full context: that it is the domestic implementation of a European Directive which describes itself in its title as a Directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” The emphasis is on the protection of data subjects”.  Judge Langstaff considers therefore that if, at the moment an employee decides to misuse data to which his employer has given him access the employer ceases to be under any further liability -on the basis that the employee thereafter will be data controller in respect of the misuse- this would tend to defeat the rights of data subjects in respect of that data rather than enhance them as is the apparent purpose of the Directive. What, to the contrary, is consistent with the greater security and protection of the data subject is to impose the obligations of data controller upon such an employee (making him liable personally as he would not otherwise be merely qua employee) whilst retaining his employer’s vicarious liability for his wrongdoings where it is appropriate to do so. Two parties are then potentially responsible in law.

On a related matter, Judge Langstaff analyzes the question of whether or not the DPA, by suggesting that a data controller must take reasonable steps to ensure the reliability of any employees of his, indicates that the draftsman intends to restrict the liability of a data controller for the acts of employees, such that an employer, thus excluding vicarious liability. Employer is liable only to take reasonable steps to ensure the reliability of an employee, and no further, and that this provision thus implies an exclusion of vicarious liability. Judge Langstaff considers that one duty does not exclude the other as the obligation to take care as to the nature of those to whom data is entrusted is mentioned in the part of the Directive which relates to the security of data while the liabilities of the data controller are contained in a different part of the Directive. This, he suggests, shows that the draftsman did not intend the provision to be the sole ground on which an employer could be held liable for an employee, but rather intended to add a specific safeguard for data, which would not depend on there being any infringement by the employer concerned.

As to the point that considering the company liable for the actions of one of its employees could encompass enormous financial losses for the company in case of a class action raised by a significant number of claimants, Judge Langstaff considered that companies are usually able to cover for such costs through insurance and that such losses wouldn’t in any case equate to the amounts payable, for instance, in respect of a product liability claim asserted by a cohort of injured customers.

Judge Langstaff concludes therefore that vicarious liability is established, although troubled by the fact that, in this case, by finding Morrisons liable, the Court could be seen as aiding Skelton in further harming the party to which his criminal acts were directed to harm.

Conclusion

Our main purpose when analyzing this case is to demonstrate the importance of implementing appropriate and sufficient technical and organizational measures to protect the personal data entrusted to our clients while documenting the implementation of such measures.  It’s particularly important that companies implementthe  appropriate trainings, security measures and auditing processes to guarantee that the employees in charge of the processing of personal data are aware of their duty of confidentiality towards such data and of the procedures that they need to follow to guarantee the security, confidentiality and availability of such data.

The most important lessons that companies ought to learn from this case are, from our perspective:

  1. Companies can’t be too careful when assessing their systems from a data privacy perspective and when remediating the gaps found after such analysis: the fact that the PeopleSoft was found to be a secure environment by the judge and that he considered the encryption of laptops and USB sticks to be sufficient measures to protect the data were essential in the consideration of the company as not liable with regard to the process through which the data was leaked;
  2. Retention and deletion periods matter! Companies need to implement systems that guarantee that data is kept only for as long as it is necessary and to implement appropriate trainings and controls that routinely check that data is not kept in unsecure environments for longer than required;
  3. As a “side lesson” it’s important to mention that Judge Langstaff considered the monitoring of employees searches on the Internet or of their correspondence as “difficult to justify” even in a case like this one. Monitoring systems must therefore adjust to very specific requirements to be seen as appropriate, proportional and not excessively intrusive;
  4. Even if the “human factor” remains the greatest weakness in the data protection framework of the company, the story needs to make sense: companies need to invest on appropriate trainings and awareness programs in order to create awareness, among their employees, with regard to data protection law and practice and with regard to the fines and penalties at stake.

The question that the Morrisons judgement leaves hanging in the air is: are companies ready to stand this level of scrutiny with regard to the systems that they use to protect the personal data entrusted to them?

 

[1] The author would like to state that some fragments of this article were taken directly from the judgement in the interest of time and in order to provide an accurate picture of the case at hand and of the considerations of the Court.