Judges warn firms that they need data protection insurance
Court of Appeal judges have told employers to take out insurance against the risk of rogue employers stealing personal data.
Morrisons, the supermarket chain, lost their case at the court despite claiming the company had done nothing wrong and was a victim of the theft of personal data relating to around 100,000 staff.
The data was copied by a disgruntled employee in the IT department without permission and later sent to newspapers and published on the internet.
The information included names, addresses, bank and salary details.
The employee was jailed for eight years for the data theft.
Cover needed for internal data breaches
The company is contesting that it should have to compensate 5,500 staff who have brought a class action claiming damages for the criminal act of a single employee.
Compensation has not yet been set, but Morrisons is thought to have spent £2 million on legal fees already. The concern is the remaining 95,000 employees may pursue claims if their colleagues win compensation.
The High Court ruled against the claim from Morrisons. The supermarket appealed, but the Court of Appeal agreed with the High Court ruling and dismissed the claim.
The company is now planning to take the case to the Supreme Court.
The High Court explained that although there was no reason to distrust the employee with data, the company had no procedures in place to safeguard the data from misuse.
Judges at the Court of Appeal commented that although the ruling opened companies to claims for incidents that were beyond their control it was up to employers to insure against the risk.
Data security is vital for businesses
More data breach claims are expected as the victims do not have to show they suffered a loss under data protection laws, just that the incident led to distress.
The ruling and new data protection laws under GDPR (General Data Protection Regulation) mean employers must tighten up data security to cover ‘lone wolf’ data thefts.
Data security reviews should look at limiting who has access to personal data – for both employees and customers.
Staff who can process the data should have limits on access and measures should be put in place to flag potential misuse.
Businesses should also stop staff from bringing their own devices to work, or certainly from taking them into sensitive areas from where they can access personal data.
Professional indemnity cover can include cyber insurance, which covers data breaches or attacks from external hackers.
Cyber insurance comes with help on managing a data breach, including legal advice, media management and assistance with notifying staff, employees and regulators.
The cover includes settling fines imposed by regulators.
The cost depends on how much insurance a business needs.
This is worked out from the amount of personal data held, the size of the business and how IT intensive the day-to-day activities may be.
Premiums start from £12.60* a month
*Based on £100,000 worth of cover. Plus insurance premium tax (IPT) currently at 12%.