Databreaches.net had a link to a very interesting article about corporate liability for an employee’s malicious leaking of employee information. What was most striking to me was the contrast between cases in the UK and the US.
In the UK, a disgruntled employee leaked payroll data for 100,000 employees of a very large supermarket chain to newspapers in order to embarrass the firm after they were disciplined for bad behavior. The courts found that employees have the right to sue the supermarket chain for damages as they were “vicariously responsible” for the acts of their employee.
In contrast, a similar case in the US against Coca Cola had a very different outcome. A Coca Cola employee sold laptops which they were tasked with destroying and these laptops contained personal information of employees. Employees sued, but the courts dismissed all of their claims, saying that Coca Cola could not have known about the rogue employee’s activities.
This case has a few lessons for infosec professionals:
First, if your firm operates in multiple jurisdictions, the laws and norms in these jurisdictions can be very different. When judging risk and formulating policy, work with your legal departments to make sure you understand these differences.
Second, I feel that this case also shows the differences in attitudes to personal information in the US and the rest of the world. It seems like the US does not value individual privacy nearly as much as other countries. Again, if you operate in multiple jurisdictions, you need to keep this in mind.
As the stakes get higher for organizations (for example $20M or 4% of global revenues for each breach of the EU GDPR), these are things we need to worry about. Buy your general counsel a beer and talk it out before you have to deal with a lawsuit.