In an age where data is among an organisation’s most valuable assets, a data security breach can result in significant legal, financial, and reputational damage.
While much of the focus tends to be on IT systems, regulatory compliance and public relations, one angle that is frequently overlooked is the people angle, specifically, the rights and obligations of both employer and employee in relation to data security.
In this article we’ll discuss recent high profile cyber-attacks and look at how an organisation’s people can be both an asset and a liability, when it comes to preventing a cyber-attack and managing the response in the wake of one.
The Marks & Spencer data breach: A cautionary tale
In April 2025, M&S was subject to a ransomware attack in what is thought to be the work of a group of teenagers and young people who used DragonForce to scramble IT systems. The group gained access to employee and customer data, including bank details, having socially engineered entry via an employee of one of M&S’s third-party service providers.
The hackers subsequently issued a ransom to M&S for return of its data, the loss of which resulted in M&S online orders platform being taken down for several weeks. Whilst M&S is now taking limited online orders, it has estimated that its operating profit will take a £300 million hit as a result of the attack, with online orders expected to remain disrupted until the end of July 2025 and, no doubt, consumer confidence having been impacted for significantly longer.
The suspected hackers are also thought to be behind a similar attack on the Co-Op and an attempted hack of Harrods, which both happened within days of the M&S attack.
It would appear that M&S is generally handling the employee relations implications of the attack well with few public references to loss of employee confidence and loyalty. In the immediate aftermath of the attack however, several M&S staff did speak publicly about the incident and their concerns in the wake of the breach, both on social media and by speaking to journalists – fuelling public speculation regarding the future of M&S and whether it could recover from the attack and the possible implications for employees of the retail giant.
Key people related implications
- GDPR, the Data Protection Act 2018 and the duty of confidentiality – It’s well known that personal data breaches, whether they relate to customer or employee data, can result in action by the ICO, who has the power to issue eyewatering fines, as well as individual claims for damages by data subjects under the Data Protection Act. What’s often overlooked, however, is how a breach of employee data may trigger wider employment disputes, particularly if mishandling data leads to discriminatory outcomes or psychological harm. Employees whose data is mishandled may lodge grievances, make subject access requests and even resign, claiming constrictive dismissal, citing a breach of both express and implied terms of the employment contract. Employers have a legal duty to protect employee data and to act in such a way which cannot be said to destroy or seriously damage the implied term of trust and confidence. That implied term can extend to the way in which an employer both handles personal data and responds in the event of a breach of personal data. Whilst loss of personal data might amount to a breach of express terms of confidentiality, arguably, losing employee data, prioritising the protection of customer data over that of employees or failing to keep employees properly informed following a data breach, could also, in certain circumstances, amount to a breach of the implied term.
- Vicarious liability – It has long been established law that employers are vicariously liable for breaches of personal data by an employee acting in the ordinary course of their employment. There are of course examples of employees acting maliciously as Morrisons Supermarket know only too well following a malicious breach of employee data by a disgruntled employee in 2013 which led to a 7 year legal battle. The majority of data breaches however occur because of inadvertent non-malicious acts by employees. Examples of this could be sending data to the wrong recipient, failing to encrypt data which is subsequently intercepted or, in the case of M&S’s service provider, an employee being tricked into granting access to an employer’s systems as a result of social engineering. Whilst any inadvertent breach will clearly be unauthorised, an employer will nonetheless be vicariously liable where the breach occurred in the ordinary course of an employee’s work.
- Disciplinary action – Where a breach stems from employee negligence or misconduct, employers are likely to want to consider taking action, either in the form of disciplinary proceedings or performance management proceedings. Whilst disciplinary action might seem obvious in the case of flagrant disregard of GDPR by an employee – dealing with an employee who has made a honest but potentially catastrophic mistake can be more difficult. They may have been the victim of social engineering or their conduct or performance may be mitigated by other factors, such as workload or a lack of adequate and up to date training. Further issues arise where the employee responsible for the breach is not directly employed by the organisation on the receiving end of any attack – as in the Marks and Spencer’s case. An employer might also want to deal with employees who, whilst not responsible for the initial breach, act inappropriately in relation to it – for example by publicising the incident, speaking to the press or posting on social media.
- Psychological impact and duty of care – Breaches of personal data may lead to emotional distress among staff, particularly if the data disclosed amounts to sensitive personal data, for example health records, information about their race, ethnic origin or religious belief, their sexual orientation or their trade union membership. Even where an employee’s personal data has not been breached, as demonstrated by employee comments immediately after the M&S incident , any cyber-attack which causes significant financial loss to the organisation is likely to have a significant emotional impact on employees who fear for the future of their employer and, therefore, their jobs. Likewise, employees who are working under extreme pressure either to deal with attack (such as those in management or IT) or to deal with the fall out from it (such as those in customer service roles) and who may, as in the case of M&S, be operating under the spotlight of significant public interest are owned a duty of care, both contractually and as a matter of common law.
Practical management and mitigations
To manage the people risks associated with a data breach, employers should, as a minimum:
- Update contracts and policies – Ensure that all contracts of employment contain robust provisions regarding data protection and confidentiality, both during employment and after employment has ended. The same applies to provisions regarding data protection and confidentiality in service contracts and the contracts of employment between service providers and their employees. Likewise, employers should ensure that their policies contain clear guidance both for employees and, if relevant, contractors, around data protection, confidentiality and other less obvious but related matters, such as conduct on social media and statements to the press.
- Implement training and awareness programmes – Staff should be given training not just on their obligations regarding data security and confidentiality obligations but also in relation to cyber hygiene, phishing risks and social engineering methods. This training should be updated regularly to reflect evolving and ever more sophisticated threats with training records kept up to date. In addition to training, employers should consider broader risk management strategies such as penetration testing, employee awareness programmes, cyber intelligence sharing and, ultimately, a culture which promotes a “whole team” approach to cyber and data security.
- Prepare an employee-focused cyber incident response plan – In the event of a cyber attack or even an attempted attack/near miss, it’s essential that employees know what to do, when and why, not only so that a business can survive an attack but so that lessons can be learned. Cyber incident response plans should not only involve senior management, IT and technical staff but also HR, legal and, where appropriate, staff representatives, so that the impact upon all areas of the business are considered and consistency of messaging is achieved.
Conclusion
Cyber-attacks and data security breaches are not just IT or security issues — they are people issues. A failure to consider the people angle and the employment law implications, both in relation to the prevention of attacks and, crucially, as part of any major incident recovery plan, can escalate the crisis. This may expose organisations to additional legal claims beyond the already significant claims under GDPR and result in further reputational fallout. Employers must treat data security as a multidimensional issue, integrating HR, legal, and IT responses to ensure they not only comply with the law but, perhaps, more importantly, to ensure they are able to recover from an attack and move forward, with their business, workforce and reputation intact.
How can we help you?
Related articles
Article
24 June 2025
5 minute read
Phishing alert: Beware of fake trademark solicitation emails
Read more
Article
16 June 2025
8 minute read
Think before you’re hacked. Being legally prepared for a cyber-attack
Read more
Article
12 June 2025
6 minute read
How can adult social care providers protect against cyber security attacks?
Read more
Video
30 April 2025
1 minute watch
Technology and Innovation at the Core of the Changing World of Work
Read more
