Data Breaches And Vicarious Liability

Associate Solicitor Jane Sinnamon, from Collingwood Legal, examines the implications of the High Court decision that employers are vicariously liable for data breaches committed by its employees.

It seems like reference to ‘data’ and ‘data protection’ is everywhere at the moment, not least because of the impending General Data Protection Regulations (GDPR) which come in to effect in May 2018 replacing the existing Data Protection Act (DPA) 1998.

The challenges to employers as ‘data controllers’ in holding sensitive and confidential data and entrusting such information with employees was highlighted in a decision reached by the High Court on 1 December 2017 in the case of Various claimants v Wm Morrisons Supermarkets PLC.

The facts

An employee of Morrisons was unhappy about a minor disciplinary sanction that had been imposed on him. In retaliation, he used his position as a Senior IT Manager to release the personal details (details entrusted to him in his role) of almost 100,000 employees to a public file sharing website. The data shared included salary information, bank details and national insurance numbers.

The employee’s actions rendered him personally liable for criminal offences under the Computer Misuse Act 2009 and the DPA, for which he is serving an 8 year prison sentence. The court noted that in taking this course of action the employee utilised his advanced IT skills to avoid measures Morrisons had taken to avoid data breaches of this kind.

A group of approximately 5,500 employees subsequently brought civil action against Morrisons as the ‘data controller’ under the DPA. This is the first group action litigation regarding data protection and breaches in the UK courts.

High Court decision

The court dealt with two key questions:

– Did Morrisons have primary liability for the employee’s breach under the DPA?

The court said ‘No’. Once the employee misappropriated the personal data and started sharing it, he became the data controller (not Morrisons) and assumed liability for the breaches where he was acting without authority.

– Was Morrisons vicariously liable for the actions of its employee?

The court said ‘Yes’ on the basis there was a ‘sufficient connection’ between the employee’s employment and his wrongdoing, even though the disclosure itself did not occur on a company computer or during working hours. Compensation in respect of this finding is to be determined at a separate hearing but it is likely to be significant.

What next?

This won’t be the last we hear about this case as the High Court gave Morrisons permission to appeal the decision, which Morrisons intends to do.

In the meantime, what does the decision mean for employers?

For employers, this decision is worrying. Essentially this case highlights that there is no failsafe system for entrusting staff with confidential information in order to avoid vicarious liability. However, what it does highlight is that Morrisons avoided a finding of primary liability for a breach of the DPA on the basis it had practices and procedures in place to deal with confidential data and the potential misuse of such data (although the court was critical of Morrisons not having in place an organised system for the deletion of data).

This decision, in conjunction with the new GDPR, emphasises the importance for employers to understand and prioritise data protection and cyber security. If organisations cannot demonstrate that they have taken sufficient steps to ensure technical and organisational measures have been taken to prevent data breaches, then the reputational and financial implications (should a data breach occur) could be significant particularly as heavier financial penalties will apply from May 2018.

We have extensive expertise of data protection laws in the employment context and frequently deliver in-house training on this topic. We are also delivering a number of masterclasses in the coming months to prepare clients and contacts for the new GDPR regulations in May 2018.