Can You Be Held Responsible for Cyber Crime by One of Your Own Employees?

A large supermarket chain in the United Kingdom employed a senior internal IT auditor, who was responsible for dealing with large amounts of highly sensitive data relating to both employees and customers. This included the names, addresses, genders, dates of birth, alongside bank and salary details of the employees.

The IT auditor operated a sideline business of his own from the head office's mail room in which he distributed "weight slimming" white powder to customers on eBay. This sideline business was discovered by his employer, the supermarket chain, which swiftly acted to close the operation. The employer formally warned the IT auditor that further misconduct would result in the termination of his employment. This caused the IT auditor to hold a grudge against the employer. His anger grew over time.

Presumably in an act of revenge, the IT auditor posted the personal details of over 100,000 employees of the supermarket on a publicly available file sharing website. He then anonymously tipped off several national newspapers about the data breach. The newspapers did not publish the story, but instead informed the employer. The police then traced the matter back to the IT auditor who was charged with fraud. He was found guilty and sentenced to 8 years in prison.

Then, a number of other employees of the business, whose details had been released, sued the owner of the business for the misuse of private information. They claimed the owner of the business was responsible for the protection of the information. The Court found in favour of the employees!

This illustrates that employers can be found responsible for the actions of their employees, even for things they would never have approved of! Having an effective privacy policy and providing clear boundaries to employees can both formally and informally avoid the troubles experienced in this case.