What better way to start the year, than a new headache in the already troubled area of employee data?
Following the recent High Court decision in Various Claimants v Wm Morrisons Supermarket PLC  EWHC 3113 that the retailer was liable for an unhappy employee circulating payroll data relating to almost 100,000 employees, Morrisons face an expensive compensation bill.
Aside from being an illustration as to the damage a rogue employee can cause in respect of data (and the consequences for an employer), this decision opens up employers to group claims in the event of a large-scale data breach even where the employer is not directly liable for the breach. The breach reportedly cost the company more than £2m to rectify, and the costs continue to grow in light of the recent High Court decision.
In this case, a disgruntled employee posted a file containing personal details of almost 100,000 Morrisons employees on a file sharing website, then two months later sent a copy of the same data anonymously to three newspapers. The data included names, addresses, date of birth, NI numbers, bank sort codes and account numbers, and salary details. The employee was arrested, tried in July 2015, convicted of various offences arising out the data breach (including under the Fraud Act 2006) and sentenced to eight years in prison. Around 5,500 affected Morrisons staff brought a claim alleging that Morrisons was ultimately responsible for breaches of privacy, confidence and data protection obligations.
But what can you or should you do in order to prevent such events taking place, and if they do, to protect your business both at the point of a breach and in respect of any later claims?
Manage employee relations
In the Morrisons’ case, the employee in question was disciplined following the discovery of a package containing white powder in the company postroom and subsequent police investigation. The employee (and unknown to his employer) ran a sideline operation whereby he bought a slimming drug wholesale and sold it on in smaller quantities, using the company’s postroom. The company followed a disciplinary hearing and issued a formal verbal warning, which the judge suggested was the motivation for the employee’s subsequent actions (the criminal and High Court judges reached that conclusion).
The Morrisons claimants alleged that Morrisons had failed protect staff data by failing to manage or mentor the employee so as to prevent a grudge developing. Whilst the judge concluded that Morrisons did not know and should not reasonably have known that the employee in question posed a real threat in respect of the employee data, it illustrates the practical importance of employee relations. Employers should be alert to ongoing resistance or resentment from employees, even where no further formal action is instituted.
The judge similarly accepted that neither the disciplinary incident nor his reaction should have led Morrisons to give his duties which involved personal data to someone else, but this is a question employers should consider when disciplining staff, particularly in relation to data issues.
Monitoring of staff
The judge here accepted that there were no grounds for ongoing monitoring, and that any such monitoring would have been disproportionate and impractical as well as raising potential privacy issues (referring to Article 8 of the ECHR and the Barbalescu case).
Employers should firstly review their policy on monitoring, and make sure it is sufficient to permit monitoring where there is a perceived risk (including in relation to data breaches), and that staff are made sufficiently aware of this policy. Employers should consider monitoring staff, particularly where there is a perceived risk in respect of data, with reference to their policy and warnings to staff.
Interestingly, the judge also made the point that in any event, ongoing monitoring would have been unlikely to prevent the incident – which is always an argument to consider if faced with a breach incident.
Protect staff data
Under Principle 7 of the Data Protection Act 1998 (the “Act“) but relevant for the GDPR which retains this obligation, employers as data controllers to take measures to secure an appropriate level of security for the personal data that they process.
In the Morrisons case, the employee had legitimately obtained and received the information on a USB device (he was responsible for providing the information to Morrisons’ external auditor and a colleague had been unable to send it by email using the company’s systems). The employee had then made a further copy, and it was alleged that no-one followed up to ensure the employee had deleted the personal data, or whether he had returned or copied the data onto another device. The judge felt that the arrangements for ensuring the deletion of data were inadequate, but unhelpfully did not give clear guidance as to how this should have been dealt with in practice.
The question (particularly with the GDPR on the horizon) is what steps should employers be taking to protect employee data? Some of the arguments advanced by the claimants, whilst not upheld by the Morrisons judge, provide food for thought.
- Clear policy documents are an obvious start. Make sure you draw these to the attention of staff regularly and set out what you expect of them.
- Use of technology in order to monitor email traffic to identify and track transferred data, for example, as well as the use of password and encryption technology and restrictions on the use of portable and passport devices are key points to consider.
- It is also sensible to consider practical steps – such as secure storage of paper files in locked areas, restricted access to physical and network spaces as well as documents, and limitations on transporting data physically off-site are all sensible steps to consider.
- Reinforcing the importance of data security is important – so regular training and reminder emails to staff reminding them of this could be helpful. For senior staff and those routinely handling personal data, you could consider annual or quarterly compliance statements requiring their response or signature.
There may be circumstances that you cannot plan for – in the Morrisons’ case, the employee was not perceived as a threat and was a Senior IT Auditor at the relevant time, which would perhaps explain their actions at the time – but a combination of preventative measures, training and clear documentation will all be helpful both in avoiding breaches and limiting your exposure in the event of a breach.
Technical points of the decision to watch out for
- Primary and vicarious liability: Employers should where possible seek to limit any exposure to primary liability. The bad news is – in short, if an employee goes rogue and acts in contravention to instructions (and even where he is convicted and given a significant jail term), the employer can still be found vicariously liable for the data breach and ordered to pay compensation. The judge found that Morrisons was not directly liable, but was vicariously liability, in respect of Skelton’s conduct. In other words, even though Mr Skelton acted without the company instructions, Morrisons were ultimately responsible for ensuring the safety and security of employee data and Mr Skelton’s rogue actions did not absolve it of that responsibility or the duties owed to affected staff.
- No requirement to prove monetary loss: The decision builds on the position established in Vidal-Hall v Google  EWCA Civ 311 that damages claims under s.13 of the Act can be brought on the basis of distress alone, without monetary loss. Significantly, in the Morrisons case the judge ruled that staff could claim for compensation without proof of financial loss. Taking steps to limit the spread of data in the event of breach will be helpful, but won’t ultimately prevent damages being awarded.
- There is a clear tension between the conclusion that Mr Skelton acted as a data controller in his own right when disclosing the data, and the court’s finding that he was acting in the course of his employment so as to give rise to vicarious liability, and the decision does not resolve this tension – so expect further development on this point.
- The criminal conviction (with a significant jail term) and finding that Mr Skelton took these actions as a result of being unhappy with the disciplinary sanctions imposed on him had little bearing on the High Court’s decision. The judge noted that the point that troubled him most was the argument that Skelton’s wrongful acts were deliberately aimed at Morrisons (so that by finding Morrisons vicariously liable the Court could be seen as an accessory in furthering his criminal aims).
What to take away
In this case, the parties accepted that Morrisons took appropriate steps at the time of the breach to limit the damage and exposure of data, and yet the supermarket chain finds itself in a difficult and costly position as the result of a rogue employee’s actions.
In short, if an employee is convicted in respect of his actions relating to a data breach and given a significant jail term, and the employer is still found vicariously liable for the data breach, employers are right to be concerned – particularly given the meaningful increases in fines and sanctions under the GDPR, as the consequences for employers as data controllers are stark, and potentially severe.
The finding of vicarious liability means employers could be exposed to serious financial consequences as a result of an employee’s misconduct, particularly in light of the GDPR. Morrisons is a large entity with significant resources, but it is easy to think of smaller employers who handle vast amounts of personal data and who may be unable to meet the costs or take out insurance to cover it. This is not the final word – the judge did give Morrisons permission to appeal his conclusions on vicarious liability, and Morrisons have indicated that they intend to do so – but it is an unhelpful development for employers.
Irrespective of the findings, employers should be looking at the steps taken to educate and inform staff, but also looking at data security, the processes and procedures in place, systems to check and protect information and other steps to limit data breaches in practice in order put themselves in the best position possible with regard to staff data.