The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

In The U.K. - A Company May Be Liable For A Rogue Employee Action

See Article Here

This is a very interesting case to watch, one because it is the first ever data breach class action law suit in the U.K., but also because the facts of the case and the possible precedent. Morrisons, a U.K. supermarket chain, is being sued due to the actions of a former employee, this employee was a senior internal auditor who “uploaded a file containing nearly 100,000 Morrisons employees’ personal data, including their names, addresses, birth dates, phone numbers, bank account numbers and their salaries at Morrisons.” The class action lawsuit, by 5000 Morrisons employees, claims that Morrisons should be held vicariously liable for the actions of its then-employee. 

“Vicarious liability refers to a situation where someone is held responsible for the actions or omissions of another person. In a workplace context, an employer can be liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment.” 

Morrisons claims that they should not be held liable for a rogue employee, but I can see the point of the plaintiffs, my first question when I read the article was why wasn’t there some data leak prevention (DLP) software preventing the employee from uploading a file with that much sensitive information? What I talk about often in my blogs, if a company has identified where the sensitive data is located and have a duty to protect it, reasonable controls have to be put in place to prevent that information from exposure, even from internal employees! It is reasonable for a company to protect employee sensitive information with some sort of controls that will prevent an internal employee from stealing all of that data. Both non-technical controls like random background checks, but technical controls like DLP, are great ways to provide that additional layer of protection.