Vicarious liability for data breach by employees

In the first group litigation of its kind, Morrisons Supermarkets was found to be vicariously liable for the actions of a rogue employee who, driven by a grudge against the supermarket chain, took payroll data relating to 100,000 employees and published it online.   

In January 2014, a file containing personal details relating to nearly 100,000 Morrisons employees was unlawfully posted on a website by an employee.  The employee was one of a limited number of employees who had been permitted access to all of the data which was held in a secure internal server.  Earlier in November 2013, the employee has secretly copied the data from his encrypted work laptop onto a personal USB following a verbal warning he was given in July 2013 as a result of an unconnected misconduct.

Immediately after Morrisons discovered the breach, it took action to close the website down to protect the data and limit any financial loss which might have resulted from the disclosures.  Despite this, 5,500 employees brought a claim on the basis that Morrisons was directly liable for the employees act of disclosing the data or alternatively it was vicariously liable for the employees actions.

The High Court ruled that Morrisons itself was not directly liable for the employees actions however, it went on to rule that it was vicariously liable for the employees conduct, on the basis that their actions were carried out in the course of their employment.

The judge rejected Morrisons’ argument that the employees disclosure of the data on the internet was disconnected by time, place and nature from their employment. Morrisons had specifically assigned the employee with the task of dealing with the data, they were appointed on the basis that they would receive confidential information and that they could be trusted to deal with it safely.  Morrisons took the risk that they might be wrong in placing trust in the employee.  It was a part of the employees role to receive and store payroll data and to disclose it to a third party.  Whilst they were not authorised to disclose it more widely, it was nonetheless closely related to what they were tasked to do.  It followed therefore that when the employee received the data, they were acting as an employee and that the chain of events from then until disclosure was unbroken.  The fact that the disclosures were made some time later, from home, by using personal equipment and on a Sunday did not break the connection of employment.

As is often the case where employers are found vicariously liable for an employee’s acts, there was not really anything that Morrisons could have done to prevent the employee acting as they did.  The employee was aggrieved at their treatment and intent on harming their employer.  However this was not relevant when it came to determining the question of vicarious liability.

The Court has yet to decide on the level of compensation which Morrisons will have to pay, but in view of the numbers involved the cost is likely to be substantial.  Morrisons has been granted permission to appeal to the Court of Appeal and so this may not be the final word on the matter.

The above Morrisons case has highlight that with the EU Gender Data Protection Regulation (GDPR) fast approaching, employers need to be more mindful than ever about the security measures they have in place to protect personal data. With this in mind, below are some ideas for what organisations can do to minimise the risks:-

  • Stress-testing data protection security system is essential; were it not for Morrisons’ robust security measures it would probably have faced direct liability as well.
  • Organisations are increasingly aware of the risk of external hacks to their systems but the risk of an inside job could be even higher. Employers should consider what systems they have in place to control access and use of personal data by employees. Has the number of people who can access sensitive data been limited, and has it been considered who those people should be? Can the organisation readily identify who has accessed or copied data from its systems? It should be considered how USB sticks are used and these must be encrypted where they contain confidential or personal data.
  • Breaches can happen accidentally as well as maliciously. Employees should be sufficiently trained in data security and reminded of basic data protection measures regularly.
  • Organisations should be prepared for crisis situations. They should ask what procedures are in place to deal with accidental loss of data, (for example a briefcase left on a train) or theft. Do employees know who to contact with concerns, and is someone in place to deal with issues? Quick action can make a big difference, especially in limiting reputational damage.
  • Organisations may be revamping data protection policies in light of the GDPR. This is an opportunity for a detailed review and an examination of the detail of the standards of care and conduct expected from employees.

If you are in need of employment law advice with a personal approach then call us on 01603 751926 or contact us via the website discuss your requirements further.