Could an Employer be liable for data protection breaches by its employees?
02/02/2018 | Sally Mouhim
Double blow for Morrisons
In the first class action regarding a data protection breach, the High Court held that Morrisons supermarket was vicariously liable for the data protection breach by its employee in posting the personal details of 100,000 other Morrisons’ employees on a file sharing website via an account set up with a colleague’s personal details so as to implicate the colleague. The employee timed the leak of personal data to coincide with the announcement of Morrison’s annual financial reports in a deliberate attempt to cause damage to Morrison’s reputation. Morrison was itself a victim of the data leak, suffering damage to its reputation and the costs associated with dealing with the data breach, but in a double blow it was also found liable for the act of the rogue employee and had to compensate the employees whose data was leaked who brought the class action.
The Facts in this case
The employee was a Senior IT internal auditor for Morrisons. He also sold a legal slimming drug on e-Bay in his own time. On one occasion he needed to send a package of the drug to a customer and decided to use Morrison’s postroom to send it. The package split and caused alarm to others who saw a white powder and presumed it was an illegal drug. The police were called and he was arrested. He was suspended from Morrisons while the police investigated, but when it was determined that the drug was not illegal, he returned to work. He was disciplined on the basis that his actions caused alarm and could have closed the postroom for the day. He appealed and argued that the disciplinary action was disproportionate, but the appeal was dismissed.
5 months later, he was asked to send payroll data to Morrison’s auditors, KPMG. He did not ordinarily have access to the data (which was limited to a few individuals) but he was provided with it on an encrypted USB stick. He downloaded the information on to his work computer and then saved it onto a USB stick provided by KPMG and sent it to them. He subsequently copied the information onto a personal USB stick and then posted the data on the file sharing website.
The claim by the employees whose data was disclosed
5,518 of the employees whose data was disclosed joined together in a class action against Morrisons. They claimed that Morrisons had breached its statutory duty under the Data Protection Act 1998 for failing to comply with the 8 Data Protection Principles and that it had vicarious liability for the actions of the employee who leaked the data.
What is vicarious liability?
Vicarious liability is a legal principle of strict liability on a no fault basis for a wrongful act committed by another person due to the relationship between them. This is usually found in employment relationships, where the employer can be liable for wrongful acts committed by employees, but can also exist in other relationships, such as partnerships.
What the Court said
The High Court found that Morrisons was not the “Data Controller” for the purpose of the 1st, 2nd, 3rd and 5th Data Protection Principles and so did not owe a duty to the employees. It was the rogue employee who was found to be the Data Controller, since he took the decision as to how the data on his computer should be processed, and he was in breach of those principles, not Morrisons. He was not acting on behalf of Morrisons when he disclosed the data.
Morrisons did have a duty to take appropriate and technical organisational measures as required by the 7th Data Protection principle. The employee claimants argued that Morrisons had breached this duty because it should not have trusted the rogue employee with the data when he had been disciplined and he disagreed with the sanction imposed. They also argued Morrisons should have ensured the data was deleted from the rogue employee’s computer.
The Court found that Morrisons was not wrong to trust the rogue employee with the data. Although they knew he was disgruntled following the disciplinary sanction, they could not have known he would commit a criminal act to harm them.
In respect of what constitutes appropriate measures for the 7th principle, the court said this is a balance between the level of security to be achieved and the costs and technological constraints of doing so. The Court found Morrisons took precautions by limiting access to the personal data to a few trusted employees. However, there was no organised system for the deletion of data, and Morrisons relied upon the employees to delete data with no appropriate checks and balances to ensure they had done so. Although the Court found Morrisons did breach this duty for the failure of a system to ensure deletion of data, this did not cause the disclosure by the rogue employee. If there had been a system, it would not have prevented him from disclosing the data, because he deliberately set out to disclose it to harm Morrisons.
However, Morrisons was found vicariously liable for the data leak by the rogue employee. The Court said that there was a sufficient connection between the employee’s position of being entrusted to handle and disclose the data to KPMG and the wrongful act of leaking the data. There is to be a separate hearing to determine the amount of compensation to be awarded. However, even if the amount awarded to each of the 5,518 employees is not high, the other 94,480 employees could bring a claim and the overall costs for Morrisons could be astronomical.
What are the implications of the case?
Morrisons was found not to be directly liable for any breaches of the Data Protection Act and had taken reasonable steps to prevent the misuse of data, yet it was still found liable for the misuse of the data by an employee, despite the fact that Morrisons was the target of, and a victim of, the attack by the employee. This is a cause for concern for employers, since it appears that despite taking all reasonable measures to protect the data they hold, they may still have liability for actions of their employees which are not within their control.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and increases the potential liability for data protection breaches. It is also more likely that there will be an increase in the number of class actions for data protection breaches. Businesses should therefore ensure that they are adequately insured for such potential liability. It would also be prudent to review existing systems in the light of the GDPR and consider any changes which may be implemented to ensure compliance, including training staff as well as appropriate checks and balances on employees.
The judge has given permission to Morrisons to appeal the decision and Morrisons has indicated it will appeal, so the position may change in the future.