Cyber Attacks: A wake-up call for retail businesses

Recent outages affecting major global platforms hosted on Amazon Web Services serve as a stark reminder that cybersecurity incidents are a growing threat for modern retail businesses. News stories of this type seem to be increasingly frequent, with cyber-attacks no longer a distant threat – instead, they pose what is now becoming a daily reality for retailers.

Over the past year, there has been a 50% rise in cyber-attack incidents across the retail sector. High-profile attacks affecting M&S, the Co-operative and Harrods have dominated news headlines. M&S alone is estimated to have lost £300 million in profits and suffered a £700 million hit to its market value as a result of its recent cyber-attack.

While news outlets often focus on data protection and reputational damage, retail employers must also confront the employment law risks that follow a cyber breach. These risks can be immediate, complex, and costly. Retail is an especially susceptible sector where large, dispersed workforces and high staff turnover are common.

Payroll disruption: A potential breach of contract

From an employment law perspective, one of the most immediate risks following a serious cyber-attack is the inability to process payroll. A cyber-attack that disables payroll functions can result in delayed or missed wage payments, potentially constituting a breach of contract or unlawful deduction of wages.

In such cases, employees could even resign and bring a claim of constructive  unfair dismissal, provided they have the required length of service to do so. Tribunals will assess whether the employer took reasonable steps to honour contractual obligations and whether the employee had viable alternatives to resignation. Therefore, to mitigate against these risks, retailer employers must be prepared to act swiftly to explore alternative payment methods and communicate transparently with staff.

Disciplinary action: proceed with caution

The retail sector is fast-paced, and instances of human error – such as clicking on phishing emails or mishandling sensitive data – are common in many cyber breaches. Retail employers may be tempted to discipline staff involved, but this approach carries legal risk.

To justify a dismissal for a one-off incident and where an employee has two or more years’ service, the employer must demonstrate that the employee’s actions constituted gross misconduct or gross negligence.

This assessment may need to consider whether the employee received sufficient cybersecurity training, understood what guidance was provided through employer handbooks or policies, and the overall workplace culture regarding cybersecurity.

Heavy-handed responses may discourage openness and ultimately harm an employer’s security position. Retail employers should create a culture of transparency, supported by internal reporting through robust grievance and whistleblowing policies, that encourages early identification and resolution of cybersecurity concerns.

Regular training in identifying phishing scams, secure password management and understanding the importance of reporting suspicious activities can help improve your organisation’s collective security and potentially save you millions in lost profits.

GDPR duties: Protecting staff and customer data

When a retail business is subject to a cyber-attack, media coverage is often focused on whether customer personal data may have been exposed. However, retail employers must also ensure that employee personal data is protected.

The General Data Protection Regulation (GDPR) imposes stringent duties on employers to protect both employee and customer data. Following a cyber-attack, employers must promptly report any significant breaches to the Information Commissioner’s Office (ICO) and to the individuals affected. A failure to do so may not only lead to regulatory penalties but can also erode trust among staff.

Importantly, the employer must take remedial action to prevent further breaches. By doing so, the employer will be seen to comply with its legal obligations, whilst also reinforcing its duty of care to employees.

Building resilience: Retail cyber preparedness

To safeguard both data and employment relationships, retail employers should:

• Regularly review and update data protection and IT policies
• Provide ongoing cybersecurity training tailored to retail operations to its staff
• Develop clear incident response protocols that include HR and payroll contingencies
• Communicate openly with employees during and after a cyber incident

How we can help

Cybersecurity is not just an IT issue; it’s a workforce issue. For retail employers, the stakes are high. A cyber-attack may cause operational disruption, reputational damage, and Employment Tribunal claims from its workforce, all of which may cost time and money.

By embedding employment law considerations into cyber resilience strategies, retail employers can better protect their people, their brand, and their bottom line.

For advice on the issues raised in this article, contact us here or email Craig.Mccracken@andersonstrathern.co.uk.