In the case of Morrisons, the nightmare scenario became reality when their internal auditor Andrew Skelton stole the banking details of 100,000 Morrisons staff and published this data on a variety of websites. Skelton had been angered by the company’s handling of an internal disciplinary matter. In July he was jailed for eight years after being found guilty of fraud, unauthorised access to computer material and unlawful disclosure of personal data.

The nightmare is not yet over for Morrisons, however. Last month more than 2,000 of the employees affected by Skelton’s actions took Morrisons to court in order to seek financial compensation for their loss. The company have already forked out millions of pounds to repair the damage caused by the data theft and they look to be facing another sizeable bill to defend these claims.

The Morrison saga is a tale of woe that could befall any business. Under the laws governing data protection with which every employer is required to comply, information security is of paramount importance:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Data Protection Act 1998, seventh data protection principle

All employers should ensure they have adequate security measures in place to prevent such thefts from occurring in the first place. In the Morrisons case, Skelton had a level of access to confidential and sensitive data beyond that of the ordinary employee. With hindsight Morrisons will probably wish they had monitored his activities more closely following his disciplinary matter.

If, despite the best precautions, the worst should happen and data go missing, then the Information Commissioner’s Office (ICO) recommends a four-part response. Click on the headers below for more information:

Photo: MacBook Pro backlit keyboard Tom Eversley

Most employers have systems that maintain daily records of Internet activity, which are logged at various times during the day. These can be searched to identify unusual or illicit activity. However, an employer is not free to undertake any monitoring of an employee’s computer usage it wishes merely because such usage is taking place at work. Monitoring must be done in a way that is consistent with a myriad of legislation, including laws relating to data protection, human rights and telecommunications. There is also a duty of trust and confidence implied into each employee’s contract of employment which may be breached by an employer’s monitoring activities.

A general principle is that any monitoring must be proportionate so that the adverse impact of monitoring an individual is justified by the benefit of such monitoring to the business. The usual purpose of monitoring is to uncover any activities that might expose the company to risk of suit, such as the transmission of confidential information, infringement of copyright, or inappropriate use of company computers.

First, employees must have notice that monitoring will be carried out. The company should have a policy on the use of electronic communications which describes the sort of Internet material that employees are prohibited from viewing. An effective electronic communications policy would contain an express prohibition on visiting sites that contain obscence content (in case any employees are under the misguided notion that it is appropriate to do so while at work). The policy should also warn employees that any inappropriate use of the Internet will be dealt with under the disciplinary procedure.

If any suspicious activity is uncovered during monitoring, it should be investigated. Employers should avoid a knee-jerk reaction when taking disciplinary action. The employee should be given an opportunity to explain their behaviour or challenge the disciplinary findings. This is an important step as there are rare cases of employees successfully justifying their behaviour on the grounds of disability or ignorance of company rules. Finally, any punishment for breach of the electronic communications policy should be applied consistently and fairly.