Recently there has been yet another data breach involving Facebook. An estimated 50 million user accounts may have been affected by a security breach that could allow the attackers to take over the accounts.
The publicity surrounding the introduction of the GDPR means that users of social media are well aware of the duties owed to them by the organisations that process their data.
But what happens when the breach is closer to home? When can idle workplace gossip, or even malicious actions by a disgruntled employee, lead to a claim being brought against an organisation?
Whilst the large scale breaches attract headlines, the Information Commissioner's Office (ICO) is beginning to exercise their power to impose fines on organisations that breach their regulatory duty.
The ICO also takes action against individuals. Their website reports a prosecution in September 2018 against a former nurse who accessed patients medical records without authorisation. That individual was fined.
Action by an individual, such as this, can leave an organisation vulnerable to a civil claim. Such claims are rarely covered by the compulsory Employers Liability Insurance that would protect you in the case of a personal injury claim.
But how can an organisation be sued for the (sometimes illegal) actions of one rogue employee?
It has long been established that an employer will be vicariously liable for the actions of an employee in the context of a personal injury claim. That same principle applies to DPA breaches.
In a case, which pre dates GDPR, Various Claimants v Wm Morrisons Supermarket plc, the Queen’s Bench Division held that a defendant employer was vicariously liable for the criminal actions of a rogue employee in disclosing personal information of co-employees on the internet in breach of the Data Protection Act 1998.
That judgment established that, as a matter of English law, a company can be held vicariously liable in respect of data breaches caused by its employees.
This means that a company can be held liable to compensate affected data subjects for loss, including non-pecuniary loss such as upset and distress, caused by a data breach, even when the breach was caused by an employee with no wrongdoing having been committed on the part of the company.
Without insurance to cover the damages or costs arising it is a salutary reminder that idle gossip can be costly.