Morrisons’ statement following its serious data breach incident - reported as a theft - of payroll data suggested the theft was the work of an insider, rather than an external breach.

Morrisons’ statement following its serious data breach incident - reported as a theft - of payroll data suggested the theft was the work of an insider, rather than an external breach.

Staff data is just as equally protected by the Data Protection Act 1998 (DPA) as customer data is. A key point of the DPA is that appropriate measures are taken against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. A breach arising from, for example, an insider threat can be a serious breach of the DPA and can result in formal action by the Information Commissioner which can issue penalties of up to £500,000.

In the event of a security breach, an organisation needs to take prompt action to investigate and contain the incident, assessing whether the data can be recovered and if damage can be limited. It appears that Morrisons is on this path, however the few days after a breach becomes public knowledge are of great importance, as staff and customers alike start to raise questions over how an insider threat can materialise in the first place. These are questions that no doubt the Information Commissioner’s office will also want answers to.

In the event of a data breach risk becoming a reality, an organisation has to react fast. For this reason, it is important to prepare for the unthinkable by drawing up a breach response plan which should identify the steps that need to be taken during the containment and recovery stages.

The plan should provide a roadmap for evaluating the risks, implementing solutions and learnings in the light of experience. This readiness plan should be documented, publicised within the organisation and, importantly, it should be tested. It’s better to learn about the weaknesses of a plan in a test environment than a live breach incident.

  • Vinod Bange is a partner specialising in data protection at international law firm Taylor Wessing