BARRISTER & SOLICITOR LOG IN

Rogue employees, Data Security and Employer Liability

Rogue employees, Data Security and Employer Liability Data Breaches and Vicarious liability of Employers

In December 2017 the High Court of England and Wales ruled that Morrisons Supermarket http://www.bailii.org/ew/cases/EWHC/QB/2017/3113.html were vicariously liable for the actions of a rogue employee, who accessed personal information of other employees and intentionally published it online. The claim, brought by over 5,500 employees, consisted of three causes of action:

1. Breach of statutory duty (Data Protection Act 1998);

2. Tortious misuse of private information;

3. Breach of confidence.

During his employment, disgruntled employee, Andrew Skelton, obtained and copied a file containing personal details, including addresses, bank details and salaries, of some 100,000 employees, later uploading it to the internet. He was convicted of fraud and associated charges in criminal proceedings and given an 8-year sentence.

The central question for the civil Court was, whether primary and/or vicarious liability could be established. Primary liability was rejected on the basis that data protection principles had not been breached by Morrisons.

The Court was satisfied that adequate security measures had been taken; access to data had been limited, internal checks had been conducted and appropriate methods of transfer were employed using encryption and authorisation requirements. Further, the Court considered that there was nothing to suggest that Skelton harboured a grudge, posed a security threat or could not be trusted. Morrisons had discharged their primary data protection obligations.

Vicariously liable for the actions of Skelton was established based on the “social justice” principle, due in part to the connection and control that was held on behalf of the employer. In reaching its conclusion, the Court considered whether there was a sufficient connection between Skelton’s job and the wrongful act for the conduct to fall within the parameters of the principle of ‘during the course of employment.’

Handling data was a key part of his role and he was authorised to access it to enable him to discharge his duties. The Court also found that there was a sufficient connection between his job and the wrongful act, despite that the data was disclosed from a personal computer (having been copied), outside of working hours, several months after the data was copied and deliberately to harm the employer.

Implications

Whilst all cases in this field must be viewed on a fact specific basis, the potential impact of this ruling on employers is considerable as it extends their risk of exposure to liability for the actions of their employees when they have committed illegal acts intentionally without their knowledge.

Responsible employers ought to review the mechanisms they have in place to prevent breaches and limit their vicarious liability in the event of a civil suit. This will undoubtedly involve greater regulatory burden and operational cost to businesses. However, from both a reputational and financial point of view, ensuring measures are in place for compliance could serve to limit liability in the event of a data leak, particularly if individuals cannot be identified.

Although under appeal, the far-reaching implications for employers cannot be understated. To help ensure the appropriate security mechanisms are in place, organisations could review the following:

o Data protection security systems – stress test;

o Access - limit internally and vet employees;

o Implement crisis procedures to minimise breaches;

o Employee training – standards expected.

Once GDPR comes into effect, this type of mass claim following a breach caused by error or malicious actions of employees is likely to become increasingly common. This will be further to the fines applicable in the event of a breach. If the new set of requirements laid out in GDPR had been in place at the time, the monetary sanctions in this case for the statutory breach alone could have been substantially higher.

This judgment highlights the potentially severe financial and reputational damage in the event of a leak, even at the hands of a rogue employee acting intentionally outside working hours. To fail in implementing GDPR-compliant technical and organisational measures could lead to liability for not only GDPR level fines, but additional compensation claims for direct/or vicarious liability.

By Sarah Lewis BL

back to news