Cyber Attacks – A wake up call for employers

Cyber attacks are on the rise, with recent figures showing a 50% increase in the retail sector alone over the past year.

The recent high profile cyber-attacks affecting M&S, the Co-op, Harrods, and several Scottish local authorities have starkly illustrated the widespread impact of cybercrime. While much of the focus is understandably on data protection and reputational damage, employers must not overlook the employment law implications that can arise when their systems are compromised.

Failure to pay wages: A breach of contract

One of the most immediate risks for employers following a serious cyber attack is the inability to process payroll. If an attack disrupts internal systems to the point where staff cannot be paid on time, this may constitute a fundamental breach of contract as well as an unlawful deduction of wages. Where this happens, employees could even potentially resign and bring a constructive unfair dismissal claim if they have the required length of service.

To mitigate this, employers must act quickly—both in terms of exploring alternative payment methods and in communicating transparently with staff. In deciding fairness, Tribunals will consider whether the employer took reasonable steps to honour contractual obligations and whether the employee had viable alternatives to resignation. It’s not as simple as: “you haven’t paid me, so I am entitled to full compensation for constructive unfair dismissal.”

Blame and disciplinary action: A risky path

Cyber breaches are often caused by human error— such as clicking on a phishing email or failing to follow basic security protocols. Employers may be tempted to take disciplinary action against those involved. However, dismissing an employee in such circumstances could be fraught with legal risk.

To justify a dismissal for a one-off event and where an employee has sufficient service, the employer must demonstrate that the employee’s actions constituted gross misconduct or gross negligence. This assessment may need to consider whether the employee received proper cybersecurity training, what guidance was provided through handbooks or policies, and the overall workplace culture in this area.

Heavy-handed responses may discourage openness and ultimately harm the organisation’s security position. Employers should consider encouraging transparency and internal reporting through robust grievance and whistleblowing policies, which support early identification and resolution of cybersecurity concerns.

Organisations can take steps to ensure employees are confident in identifying phishing scams, following guidance on secure password management, and understanding the importance of reporting suspicious activities. Employee vigilance plays a key role in an organisation’s collective security, by following the security basics and reporting any queries or concerns to the appropriate person immediately.

Data breaches and GDPR obligations

The General Data Protection Regulation (GDPR) imposes stringent duties on employers to protect employee and customer data. Following a cyber attack, organisations must promptly report any significant breaches to the Information Commissioner’s Office (ICO) and to the individuals affected. A failure to do so may not only lead to regulatory penalties but can also erode trust among staff.

Importantly, the employer must take remedial action to prevent further breaches—both to comply with legal obligations and to reinforce its duty of care to employees.

Building resilience: key employer responsibilities

To protect both data and employment relationships, employers should consider:

• Implementing and regularly reviewing data protection and IT policies
• Ensuring ongoing staff training on cyber risks
• Developing clear incident response protocols
• Communicating openly and promptly with employees during and after a cyber incident

How we can help

Cybersecurity is not just an IT issue — it can have significant legal and HR consequences. In the wake of rising cyber threats, Scottish employers must ensure they are not only protecting their data through sufficient cybersecurity measures but also upholding their employment law obligations. Failing to do so risks not just financial and reputational damage, but potential claims from within their own workforce.

Our expert team can help you navigate the legal and HR risks that come with cybersecurity issues by ensuring your policies and practices not only protect sensitive data but also comply with employment law obligations. Failing to act could not only mean reputational and financial damage but also internal claims from employees — making it more important than ever to take a joint approach.

Contact a member of our team or Reece Ashmore at Reeece.Ashmore@andersonstrathern.co.uk if you require assistance with any of the areas discussed in this article.