Don’t Underestimate The Insider Threat

The Insider Threat has now become an even more significant risk to businesses following the dismissal against the High Courts decision that Morrisons was vicariously liable for an employees misuse of data. This is despite the fact that Morrisons were deemed to have carried out as much as they could reasonably been expected to do to protect their employees data.

The case Wm Morrisons Supermarkets v Various Claimants (2018) now states that businesses can be vicariously liable for the actions of a rogue employee.

https://www.bakermckenzie.com/en/insight/publications/2017/12/the-morrisons-data-breach-judgment

With the introduction of the General Data Protection Regulations (GDPR) earlier this year the awareness of data protection by the public has increased which is likely to lead to litigation being bought against businesses in effort to seek remedies for a lack of protection of their personal data.

Background to the case

A security breach occurred when a senior internal auditor leaked payroll data of 100,000 employees. Of this 5,518 former and current employees claimed that this incident exposed them to the risk of identity theft and possible financial loss with Morrison’s being responsible for breaches of privacy.

The Class Action Threat 

The Morrisons case is also an example of a class action where it is not only one individual making a claim but a series of claimants , claims of this nature can be significant and impact severely on the well being of a business. The insider threat has therefore increased and it is likely that businesses will need to re focus their efforts in ensuring that they have procedures in place to help counteract such threats.

Emotional Distress

Under GDPR it is now to bring claims for non -material damage i.e. emotional distress caused as a result of a compromise of an individuals personal data.

Why can business do to monitor employees behavior?

Limit computer admin rights within the business

Monitor abnormally high transfers of data by employees within the business

Ensure CV’s of new employees are what they say they are

Make sure data mapping is in accordance with GDPR ensuring that the business knows where their data is located.

Robust training of employees and expectations made clear of how they manage data.

Ensure highly sensitive data is held in respositories

The Insider Threat is intrinsically linked to the human factors that impact upon cyber security please see our blog on this.http://cyberbrokers.co.uk/human-factor-cyber-risk/

Cyber insurance is also a very valuable asset to have in that it provides insurance protection and offers an incident response service so that businesses can effectively manage a data breach.

 

Image : Shuttertock