In the case of Morrisons, the nightmare scenario became reality when their internal auditor Andrew Skelton stole the banking details of 100,000 Morrisons staff and published this data on a variety of websites. Skelton had been angered by the company’s handling of an internal disciplinary matter. In July he was jailed for eight years after being found guilty of fraud, unauthorised access to computer material and unlawful disclosure of personal data.

The nightmare is not yet over for Morrisons, however. Last month more than 2,000 of the employees affected by Skelton’s actions took Morrisons to court in order to seek financial compensation for their loss. The company have already forked out millions of pounds to repair the damage caused by the data theft and they look to be facing another sizeable bill to defend these claims.

The Morrison saga is a tale of woe that could befall any business. Under the laws governing data protection with which every employer is required to comply, information security is of paramount importance:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Data Protection Act 1998, seventh data protection principle

All employers should ensure they have adequate security measures in place to prevent such thefts from occurring in the first place. In the Morrisons case, Skelton had a level of access to confidential and sensitive data beyond that of the ordinary employee. With hindsight Morrisons will probably wish they had monitored his activities more closely following his disciplinary matter.

If, despite the best precautions, the worst should happen and data go missing, then the Information Commissioner’s Office (ICO) recommends a four-part response. Click on the headers below for more information:

Photo: MacBook Pro backlit keyboard Tom Eversley