Employer vicariously liable for data breach by rogue employee
This breach accrued under the old data protection regime (the Data Protection Act 1998). It highlights the significant risk of a rogue employee, particularly in light of the far greater penalties under the GDPR. Where a disgruntled employee acts outside the remit of their role with the specific intention of causing damage to their employer the employer could be liable for the breach.
Background
S was a senior IT Internal Auditor employed by Morrisons. Following a disciplinary hearing he was given a formal verbal warning on 18 July 2013. He felt very disgruntled about the disciplinary.
Several months passed and KPMG requested payroll data from Morrisons as part of a routine audit. It was S’ task to provide that data, which he did. However he also made a copy on his personal USB stick. On 12 January 2014, S released the personal data onto a file-sharing website, in another colleague’s name. Other copies were also sent to newspapers. The newspapers didn’t publish the information but they did inform Morrisons.
S was convicted of criminal offences under the Computer Misuse Act 1990 and under the then Data Protection Act 1998. A large number of co-workers whose data had been disclosed then brought the first data leak class action in England and Wales against their employer.
Why was Morrisons vicariously liable for S’ actions?
At the High Court it was held that there was a sufficient connection between S’ actions and his employment, therefore Morrisons was vicariously liable for his conduct. There was a seamless and continuous sequence of events that linked his employment to the disclosure. When S received the data, he was acting as an employee. The fact that he chose to disclose the data was closely related to what he had been tasked to do – to receive and store the information, and then disclose it to a third party. The fact that the disclosures were made from home using personal equipment, and on a Sunday (a non-working day for S), did not separate it from his employment.
The Court of Appeal agreed with the High Court’s decision but what did complicate this case was that his motive was to damage his employer. Morrisons argued that they couldn’t be vicariously liable when the employee had this motive. The Court of Appeal held that his motive was irrelevant.
Importantly what this case tells us is that when an employee has access to personal data as part of their job but then does something with that data in abuse of their role, the employer could be vicariously liable for the breach and could have to compensate data subjects for it.
Impact of GDPR and recommendations
Whilst this breach did occur under the Data Protection Act 1998, it is even more important now to ensure that organisations take effective steps to identify the internal data protection risks and threats before they become a problem.
We recommend:
- The implementation and publicising of accessible policies governing data use, including corresponding penalties for breaches; and
- technical, organisational and security measures tailored to your organisation to frustrate and flag up the activities of any rogue employees.
With the significant increase in regulatory fines for data breaches (a maximum of 4% of global annual turnover or 20 million Euros, whichever is higher) since the implementation of the GDPR, there is an additional and significant financial risk to organisations.
Individuals are considerably more aware of what their data protection rights are and rogue employees know how damaging the impact of personal data breaches can be to an organisation’s reputation. It is more important than ever to take proactive steps for GDPR compliance and to manage risk.