It is often assumed that data breaches occur as a result of carelessness or third party cyber-attacks. However, some recent cases in Guernsey and the UK highlight the very real risk of deliberate and occasionally malicious “insider” breaches committed by employees or others within an organisation.
The data protection legislation in both Guernsey and Jersey prescribe offences of knowingly or recklessly obtaining or disclosing personal data (or the information contained within it) without the consent of the relevant controller. These mirror the offences set out in the UK’s Data Protection Act 2018.
It should be emphasised that a person acting in this manner commits a criminal offence (subject to proving any available defence). This is not a case of civil liability and hoping to rely on professional indemnity insurance to cover the costs of the error. On conviction for this particular offence, perpetrators in Jersey face the imposition of a fine, and those in Guernsey risk a combination of a fine and/or prison sentence of up to two years. Furthermore, where that individual is working in the financial services industry, theft of personal data is likely to be viewed seriously by the GFSC and JFSC when it comes to assessing whether an individual should be regarded as fit and proper.
Nevertheless, it seems that the threat of criminal sanction has not proved to be a sufficient deterrent to certain disgruntled or overly curious employees. Two very recent UK cases (dealt with under the previous regime of the Data Protection Act 1998), resulted in the imposition of fines on employees who unlawfully accessed patient medical records and the personal data of customers of a car dealership.
In Guernsey, February 2019 saw the acquittal of a hospital employee facing prosecution for unlawfully accessing patient records without proper justification, and judicial criticism that the employer did not, apparently, have in place a suitably accessible data protection policy at the relevant time. Whilst the new data protection regimes in both the UK and Guernsey will no doubt have led to changes and improvements in the approaches of the businesses or departments concerned, the actions of employees (whether “rogue” or inadvertent) remain one of the main sources of concern for boards.
Unfortunately for businesses, the ramifications of deliberate breaches by employees do not stop at the point of individual criminal sanction for the perpetrator.
A stark warning lies in the well-publicised case involving the deliberate circulation of employees’ payroll data by a disgruntled internal auditor of the Morrisons supermarket chain. The Court of Appeal in the UK upheld the High Court’s finding that, notwithstanding that the perpetrator’s actions were deliberate and intended to cause harm to Morrisons, the employer was vicariously liable for those actions (and the compensation sought by the employees).
It will be of concern to businesses that the deliberate act of a disgruntled employee can result in the employer shouldering loss claimed by the ultimate victims of the data breach. On policy grounds, it is understandable that the rights of the data subjects are best protected by way of civil redress against a financially stable (and usually insured) business. Whilst the sight of individual perpetrators being prosecuted may bring short term satisfaction for those impacted, there is often no effective redress or compensation available.
All is not lost - businesses can minimise their risk, in the following ways:
1. Regular staff training on data protection policy, including updates and refresher training, ensuring that staff understand and acknowledge their individual obligations and those of the business. Culture is key.
2. Pessimistic security measures limiting access to personal data to staff that require it for a specific and legitimate purpose.
3. Monitoring staff access to personal data held by the business so as to detect any unusual patterns of access or extraction.
4. Regular reviews of personal data inventories held by the business so as to ensure compliance with restrictions on time limits for its retention.
If properly implemented and maintained, the above measures will assist a business to reduce the risk of accidental or deliberate conduct by staff that could result in civil or criminal liabilities. Building a culture of security and trust within an organisation and with customers is vital to maintaining success in today’s digital economy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.