Supermarket giant Morrisons has been found liable for the actions of a former employee who released the payroll data of almost 100,000 employees in 2014.
The sensitive data that was sent to several national newspapers as well as being posted online included names, addresses, bank details and salaries. The motivation for the breach resulted from a former employee being accused of dealing 'legal highs' to colleagues at work.
The repercussions of the breach have been catastrophic for the fourth largest supermarket chain in the UK. Over 5,000 employees have begun legal action against Morrisons, claiming damages for the misuse of information.
In response to this case, Morrisons have had to pay out more than £2,000,000 in costs to date and this figure continues to rise. In court, the company argued that it could not be held directly or vicariously liable for the incident. This was refuted, and this decision has led to the large amounts paid in damages.
How this relates to the recruitment industry
The action of disgruntled employees who leak sensitive information in revenge for a perceived injustice is a genuine source of risk to the recruitment industry. Both recruitment agencies and umbrella companies hold large amounts of candidate details - often thousands of records - on their systems.
The same situation could arise with temps; contractors often have access to vast amounts of hirer's sensitive client and employee personal data. Should a similar situation occur wherein a contractor feels victimised or angered towards the hirer, a similar leak or breach could occur that may result in the hirer being in contravention of GDPR legislation.
The recruitment industry must ensure that tighter security measures are in place to protect the personal data of not only employees but of suitable candidates enrolled in registered agencies, as well as the data at hiring companies.
The Morrisons data leak proves that there needs to be better training and monitoring of all staff, particularly within the recruitment industry where access to sensitive personal data is easily available.
The belief that cyber-attacks and data breaches only happen to big corporations is commonplace. 95% of social engineering claims, however, come from small businesses.
How can the recruitment industry minimise risk?
Training and monitoring of both contractors and hirers can help to protect recruiters from both incidents and vicarious liability.
Recruiters must firstly ensure that they have carried out adequate and robust enough background checks on possible candidates before placing them with hirers. Recruitment agencies would fail in their common law duty as well as potentially breaching contract conditions between agency and hirer if suitable checks are not implemented as policy.
Secondly - and most importantly - agencies and umbrellas who supply hirers with temporary workers must recognise the risk of having very little control over the contractor whilst at the hirer's site.
Whilst a recruiter can carry out robust background checks, agencies and their umbrellas could become contractually vicariously liable for the actions of a contractor if they were to commit a breach of the hirer's data, especially as more non-standard contract terms are more commonplace in today's contemporary marketplace.
New GDPR legislation and the exposure of large businesses like Morrisons have highlighted both the risks of poor training and policy and the purchasing of inadequate insurance policies that should provide cover in eventualities such as these.
Steps to take
Although there are no definitive ways to eliminate or reduce the risk of data breach to companies in the recruitment industry, there are several steps that can be taken to protect recruiters.
GDPR: Strengthening and refreshing policy as well as retrain employees to ensure GDPR compliance is a worthy investment. This will help to protect recruiters from the risk of non-compliance regarding data breaches and the regular use of other sensitive data.
Background checks: Performing more robust checks on new or existing contractors and candidates is advised. This process, in addition to providing a better understanding of their background that may help match candidates to ideal vacancies, may help identify 'red flags' before they become a threat.
Internal procedures: A review or audit of internal procedures as relates to data use and overall cybersecurity will rarely be without benefit. If a recruiter finds their operation to severely lack in this area, investment in the services or advice of a suitable cybersecurity expert or company should be considered.
Training: Insider threat is a significant factor in cybersecurity, and the cause of many breaches. Routine staff training can avoid this and may also help avoid vicarious liability should a breach occur.
Contract reviews: Vicarious liability may be discerned in the contracts arranged between a hirer and the agency or umbrella. Periodic reviews of all contracts, while time-consuming, will protect recruiters from risk and ensure they are up to date with current compliance requirements.
Monitor behaviour: In addition to being beneficial for overall employee engagement and wellbeing, diligent monitoring of employed staff and contractors can help recruiters to identify potential risks before they progress further.
Hirer education: Documents, videos and training courses relating to staff behaviour and data security can be provided to hirers or contractors. These may assist in minimising incidents and may help protect recruiters further from vicarious liability.
Insurance: Adequate professional indemnity insurance cover for cyber liability, crime and vicarious liability of contractors must be strongly considered.
By investing time and money into these steps, recruiters may insulate and protect their operation – and that of their clients – from the tangible risk posed by insider threat and poor data security.