Weekly podcast: Supermicro, federal data privacy law and Morrisons

This week, we discuss the stalemate between Bloomberg Businessweek and Supermicro, Apple and Facebook’s call for a federal data privacy law in the US, and what the Morrisons Appeal Court ruling means for every organisation

Hello and welcome to the IT Governance podcast for Friday, 26 October. Here are this week’s stories.

I’m sure you all remember Bloomberg Businessweek’s extraordinary story earlier this month about Supermicro’s supply chain being compromised. Well, it still stands by its claims that the Chinese People’s Liberation Army implanted malicious microchips on server motherboards used by the like of Apple, Amazon and the US government.

Meanwhile, Supermicro – whose share price plummeted following the story – is conducting an internal review to test the veracity of Bloomberg’s claims. Before starting, it wrote to customers, telling them about the ‘technical implausibility’ of Bloomberg’s allegations.

It said: “We trust you appreciate the difficulty of proving that something did not happen, even though the reporters have produced no affected motherboard or any such malicious hardware chip. As we have said firmly, no one has shown us a motherboard containing any unauthorized hardware chip, we are not aware of any such unauthorized chip, and no government agency has alerted us to the existence of any unauthorized chip. Despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article. In the meantime, I want to assure you that Supermicro’s design, manufacturing and quality processes are designed to ensure we provide high-performing, safe, reliable, and secure hardware to all our customers.”

Apple, too, maintains that Bloomberg is wrong – following its company statement and a letter to Congress from its vice president of information security, George Stathakopoulos, Apple’s CEO, Tim Cook, even took the unusual step of telling BuzzFeed this week: “There is no truth in their story about Apple. They need to do the right thing and retract it.”

Amazon Web Services CEO Andy Jassy agreed, tweeting: “@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.”

The stalemate continues.

Talking of Apple, Tim Cook addressed the International Conference of Data Protection and Privacy Commissioners this week. In his keynote speech, Cook criticised the weaponization of personal data and praised the EU’s GDPR (General Data Protection Regulation), which he called on the rest of the world to emulate.

“This year,” he said, “you’ve shown the world that good policy and political will can come together to protect the rights of everyone. It is time for the rest of the world, including my home country, to follow your lead. We at Apple are in full support of a comprehensive federal privacy law in the United States.”

Facebook’s chief privacy officer, Erin Egan, also addressed the conference. She concurred with Cook, saying : “We support strong and effective privacy legislation – in the United States and around the world”.

Facebook in particular is still trying to regain public trust after the Cambridge Analytica scandal, for which the ICO has fined it £500,000, and the recent data breach affecting 30 million users (not 50 million, as it originally announced), which the Irish Data Protection Commission is investigating – but although Mr Cook and Ms Egan’s remarks are undoubtedly commercially motivated, the call for a federal data protection law from such high-profile figures is laudable.

Whether a federal data protection law is likely in the US is of course anyone’s guess – the Trump administration is no great enthusiast of the GDPR: US commerce secretary Wilbur Ross wrote in the Financial Times this May, shortly after the GDPR came into effect, that the law created “unnecessary barriers” to international trade.

Finally, we turn to this week’s Court of Appeal ruling against Morrisons – a landmark case that potentially has huge implications for all organisations in the UK.

A quick summary for those who don’t know the background: in November 2013, Andrew Skelton, a former Morrisons internal auditor who developed a grudge against the supermarket after being accused of dealing controlled drugs at work, leaked the payroll data of 99,998 staff on a file-sharing website.

The data comprised their names, addresses, gender, dates of birth, phone numbers, National Insurance numbers, bank details and salaries.

Skelton was arrested in March 2014 and, in July 2015, was jailed for eight years.

In 2017, 5,518 Morrisons staff brought the UK’s first data protection class action against their employer, claiming compensation on the basis that the supermarket was liable for Skelton’s actions.

The High Court duly found in favour of the employees, ruling that, although Morrisons had not breached the Data Protection Act 1998 (DPA 98) itself, it was nevertheless vicariously liable because Skelton had acted in the course of his employment – even though he did so “without authority and criminally” and “there was no failure of Morrisons to provide adequate and appropriate [security] controls”.

Morrisons appealed, but this week the Court of Appeal upheld the High Court ruling.

A spokesperson for the supermarket commented:

“Morrisons has not been blamed by the courts for the way it protected colleagues’ data but they have found that we are responsible for the actions of that former employee, even though his criminal actions were targeted at the company and our colleagues.

“Morrisons worked to get the data taken down quickly, provide protection for those colleagues and reassure them that they would not be financially disadvantaged.”

The company now intends to take the case to the Supreme Court. If it is unsuccessful, all 100,000 Morrisons staff will be entitled to compensation.

So, why should this matter to you?

According to this ruling, organisations can be vicariously liable for data breaches caused by their staff even if the organisations comply with data protection law and even if they themselves are the victims of data breaches.

Now that the GDPR has superseded the DPA 98, and introduced a provision for data subjects to receive “full and effective compensation for the damage they have suffered” as a result of processing that infringes the Regulation, the likelihood is that we’ll see more and more class actions in the coming months and years.

And if the Supreme Court upholds this ruling, we can be confident that such actions will stand a significantly higher chance of success even if the Information Commissioner’s Office hasn’t identified GDPR compliance shortfalls.

The need for organisations to do all they can to mitigate the risks associated with data breaches should, therefore, be clearer than ever before.

Coincidentally, we’re currently pushing organisations to better prepare for data breaches. (I know – uncanny, isn’t it? It’s almost like we do this sort of thing for a living.) If you want to assess how likely your organisation is to meet the ICO’s data breach reporting requirements, and learn about the steps you can take to improve your security, why not take our free breach ready assessment? Simply answer a few questions and we’ll email you a detailed report, providing advice on the next steps to take to better prepare for a data breach.

Visit our website and take the test now >>

Before we go, a big thank you to everyone who got in touch after I asked a couple of weeks ago whether we should change our theme tune.

“It’s not that bad,” said one listener. It’s a “bit annoying and a bit pedestrian”, but at least not “as annoying as commercials on all other podcasts,” said another. Across the pond, our American listeners find it a “delightfully British” bit of chirpy nonsense, quaint and charmingly oblivious to the zeitgeist. We could do worse, they said. It suits us. Resounding endorsements, all! So, it looks like we’re keeping it. And if you don’t like it, you can’t blame us. The people have spoken – and, as we know, that’s absolute.

That’ll do for this week. Until next time you can keep up with the latest information security news on our blog. Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.