Employers can be held vicariously liable for data breaches of their employees
Even before GDPR comes into force on 25 May, employers can be held vicariously liable for data breaches of their employees.
In the case of Various Claimants v WM Morrison Supermarkets PLC (A2/2018/0090) the supermarket was held vicariously liable for the leak of personal data of its employees. The litigation involved a data breach by a disgruntled employee who illegally shared a payroll spread sheet online which contained bank, salary, date of birth and NI details of almost 100,000 staff.
Facts of the case
Mr Skelton (S) was employed by Morrisons as a senior IT internal auditor. He was therefore entrusted to access personal data about employees, including payroll, which was sensitive and confidential in nature.
In addition to his employment at Morrisons, and unknown to them, S also sold a legal slimming drug on EBay. On one occasion, for convenience, he posted the package using Morrisons' post room. While in the post room the package split open, causing alarm. The police were called and S was arrested. Tests of the powder revealed that it was a legal substance and S returned to work, but was subject to disciplinary proceedings.
Several months later, KPMG requested payroll data from Morrisons for external audit purposes. S was tasked with sending that data to KPMG. The data was contained on secure software called PeopleSoft, to which only a few employees had direct 'super-user' access. This included some employees in the HR department but not S. S was instead provided with an encrypted USB stick, which contained the information and which he downloaded onto his work computer. He subsequently loaded the information onto another USB stick provided by KPMG and forwarded it to them.
However, the downloaded data remained on S's computer and he copied it onto a personal USB stick. At a later date, S posted the file containing the personal details of almost 100,000 Morrisons' employees on a file sharing website. S had used another employee's details to open an account in order to post the file onto the internet. S was arrested and subsequently charged with fraud and sentenced to eight years imprisonment.
Having been through the reputational exposure of a criminal trial, Morrisons then faced a claim by 5,518 staff in the first group litigation of its kind in the UK. The claim was brought under the Data Protection Act 1998 (DPA), misuse of private information and breach of confidence. The claimants' argued that Morrisons was both primarily and vicariously liable for the distress caused by the breach.
On 1 December 2017, the High Court held that primary liability could not be established on the basis that Morrisons was not the data controller at the time of the breach. However, the court held that the 'sufficient connection' test was satisfied in this case and Morrisons was vicariously liable for the employee's actions.
The test involves the proximity of the employee's actions to their employment and whether it is just and equitable to hold an employer accountable for it.
The court found that here there was a causal sequence of events that lead to the breach and that Morrison did not go far enough in putting in an organised system for the deletion of data.
Morrison argued that adding vicarious liability to the already significant and unavoidable up-front cost of compliance with the DPA would result in a "disproportionately crushing" liability and would be excessive on an innocent data controller. It might even result in employers limiting their use of "human agency" (that is, workers) despite being necessary to run an efficient and effective business.
The court gave Morrison leave to appeal to the Court of Appeal, with a decision on quantum to follow, which is due to be heard in October 2018.
With the General Data Protection Regulation (GDPR) regulations coming in force on 25 May 2018, cases like this are only set to increase, therefore now is the time to ensure that appropriate safeguarding measures are in place to protect your business against data breaches.