As a recent British case shows, even U.S. companies can be held responsible if their employees commit a data breach. Here’s how to prevent that.

If an employee commits a data breach and publishes sensitive customer or employee information, he can be held liable and prosecuted. But a recent judgment against a U.K. supermarket chain, W.M. Morrisons, shows that the employees’ employer can be prosecuted for the breach as well.

A few years back, a disgruntled employee uploaded the names, addresses, bank accounts, and other personal data of 100,000 employees to a public website. The supermarket acted quickly to pull down the information, and the rogue employee, a senior IT auditor, was tried, convicted of fraud, and given eight years in prison. But that wasn’t the end of the case. More than 5,000 employees filed a class action against Morrisons, claiming that the chain had failed in its statutory duty under the Data Protection Act of 1998. In early December 2017, the United Kingdom High Court ruled in their favor.

Well, you might say, that’s Britain. We’re an American company.

Unfortunately, that won’t protect you from vicarious liability. Under the legal doctrine, respondeat superior (“Let the master answer,” in Latin), a party is responsible for the acts of its agents—in this case an employee whose action is considered within the scope of his or her employment.

Not long after the U.K. breach, my colleague Mike Tierney wrote about the Morrisons case, warning of insider threats from disgruntled employees with authorized access to sensitive data and systems. His intent was to prompt organizations to focus on a very real problem.

The data breach itself was four years ago. The judgment of vicarious liability brings a new sense of urgency. By this time, most American organizations appreciate the risk of insider exfiltration. Some of them must still be asking: “What do I do about it?”

Every company has aggrieved employees—people who believe they have somehow been wronged. Maybe they’ve just had a bad review or been passed over for promotion or a raise they think they deserved. Perhaps they’ve been reprimanded or disciplined for an action—like the Morrisons IT guy who had been caught selling eBay items in the company mailroom—and believe the company treated them unfairly. Maybe they’ve just been fired.

Disgruntlement is often a marker, a known precursor to a threat of potentially dangerous misbehavior, such as a data breach or theft. Vengeance is a basic human impulse—not a particularly laudable one, but a common enough response to a perception of being slighted.

How do you arrest disgruntlement before it becomes a full-blown malicious breach?

A system to keep an eye on the actions and behavior of employees is a great start. But while security teams can usually catch a breach after it’s occurred, they can’t always see the early signs of trouble.

This is where HR comes in. That department is every organization’s first line of defense because it sees and hears it all from employees. HR folks are trained to recognize which negative workplace events—as well as financial pressures and problems at home—may trigger some kind of malfeasance.

But frequently, security teams aren’t clued in. They don’t necessarily know when someone walks out of an HR office upset about something—until it’s too late. Too often there is a disconnect between those who know something and those who need to know it.

To minimize the danger of insider threats, HR and security have to become better partners. They need to share relevant information about employees and to do so in a way that doesn’t violate an individual’s privacy. It’s the only sound reality check on those risks.

Everyone in your company needs to know there’s a new sheriff in town or, at least, a new way of dealing with security. There’s really no other way to protect your most valuable and sensitive information—and to protect yourself from potentially costly litigation.