The High Court recently held that employers can be vicariously liable for data breaches caused by rogue employees. The decision highlights the importance to businesses of ensuring that data protection compliance requirements are properly addressed.
In April 2016, the High Court of England and Wales issued its judgment in Axon v Ministry of Defence  EWHC 787 (QB). The court emphasised (albeit obiter) the fact that employers can be liable for data breaches caused by rogue employees (in the present case, an employee who had passed on certain information to journalists without the permission of her employer). The impact of this decision on employers is potentially significant, and it serves as another reminder to employers to implement proper data protection processes and procedures, and to ensure that employees receive appropriate training on these issues.
The Claimant was a Commanding Officer of a Royal Navy frigate. In December 2004, he was relieved of his command following an Equal Opportunities Investigation (“EOI”) into his alleged bullying of junior officers on his ship, and he was subsequently reassigned. In that same month, The Sun newspaper published articles about the incident. The Claimant was censured by the Navy and subsequently resigned his commission in 2007.
The Claimant later learned that a Ministry of Defence (“MoD”) employee, Ms Jordan-Barber, had committed a data breach by leaking his personal data, including information about his case, to The Sun in exchange for financial remuneration. The Claimant brought a claim against the MoD (which joined The Sun as a Third Party Defendant) alleging that he had a reasonable expectation of privacy and / or confidentiality in connection with the EOI and reassignment.
The judge in Axon found that the Claimant did not have a reasonable expectation of privacy for a number of reasons, including the public nature of his former role, and the fact that he could not reasonably expect his bullying conduct to be kept private. (This is in line with another recent case in which it was held that an employee had no reasonable expectation of privacy in malicious communications sent to the work email addresses of his colleagues.)
The judge in Axon concluded that that Claimant had no claim for breach of confidence because he could not show that Ms Jordan-Barber owed him any duty to keep any material about him confidential. While she did have a duty to preserve confidentiality of the information which she received in the course of her work and which she was not authorised to disclose to outsiders, that duty was owed to either the Crown or the MoD – not to the Claimant.
Despite finding that the Claimant’s claim as a whole was unsuccessful, the judge discussed, obiter, the hypothetical question of whether the MoD (as the employer in this scenario) could have been found vicariously liable for Ms Jordan-Barber’s actions.
Citing two recent Supreme Court decisions1 on this topic, the judge noted that vicarious liability requires: (i) a relationship between the wrongdoer (Ms Jordan-Barber) and the defendant (the MoD); and (ii) a connection between that relationship and the wrongdoer’s actions. Ms Jordan-Barber had official clearance, granting her access to classified information; she had signed documentation reminding her of her obligation to maintain confidentiality of information; and she had learned of the relevant information she disclosed to The Sun in the course of her employment. The employment relationship was clearly connected to her wrongdoing – without that relationship, she could not have had the opportunity to commit the data breach by leaking the Claimant’s personal data to The Sun. On that basis, the judge concluded that if the Claimant had had a valid claim, the MoD would have been vicariously liable for any damages arising out of Ms Jordan-Barber’s wrongdoing.
The decision in Axon highlights the risk that an employer may be vicariously liable for a data breach caused by a rogue employee, where the breach concerns private or confidential information to which the employee only has access by reason of the employment relationship. While no business can ever be fully aware of every activity carried out by its employees, employers should take steps to minimise the risks of vicarious liability, by ensuring that they have in place: strong information security measures; appropriate privacy policies and enforcement of those policies; and sufficient training for employees handling personal data in the course of their duties.