In 2014, the personal details of almost 100,000 employees of Vm Morrisons Supermarket Plc ("the employer") were posted on the internet. These details included salary and bank account details, thus exposing the employees to the risk of identity theft and phishing attempts (in order to access their accounts).
An investigation eventually revealed that the information had been leaked by a senior IT auditor of the employer. It appeared that he had been motivated by a grudge against the employer, having received a formal verbal warning following an incident involving the use of the employer's postal system to send a legal drug. He was convicted under the Data Protection Act 1998 ("the DPA") and sentenced to 8 years in prison.
In the first reported decision of its kind, a class action was brought by some of the 100,000 employees against the employer, on the basis that the employer was both directly (primarily) and vicariously liable for the data breach. Langstaff J has now held as follows:
(1) Direct liability: An employer was not directly liable for a breach which it had not authorised or required. It had not been the "data controller" at the time of the relevant breaches of the DPA. A data controller is the person or company that makes decisions about how and why personal data are processed. It was the employee who became the data controller in respect of the disclosed information once he decided to put it on the internet. The obligations of the DPA relating to unauthorised disclosure are placed on the "controller" alone.
Nor was the employer liable under Data Protection Principle 7 ("DPP7"), which provides that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data…". The mere fact of disclosure does not breach DPP7, and nor is a duty to take reasonable care imposed: "Thus, the fact that a degree of security may technologically be achievable, which has not been implemented, does not of itself amount to failure to reach an appropriate standard". A balance had to be struck and the judge advised that "In short, I would expect a higher standard to be observed as to the measures appropriate to protect data relating to 100,000 employees than I would expect in respect of a small enterprise employing 6 or 7 workers".
On the facts here, there had been no breach of DPP7 by the employer. The employer had put in place adequate and appropriate controls and there had been no indication that the employee, although upset by the recent disciplinary action, could not be trusted to do his job. Furthermore, it would have been impracticable to actively monitor internet searches by employees, and, even if the judge was wrong on that point, he held that such searches would not have prevented the data disclosure which occurred.
Accordingly, the employer was not directly liable under the DPA (or under common law or equity).
(2) Vicarious liability: The principles for establishing vicarious liability were not disputed in this case. Vicarious liability requires (1) the necessary relationship between the defendant and the wrongdoer, and (2) the necessary connection between that relationship and the wrongdoer's conduct.
The first issue to be determined here, though, was whether an employer could be held to be vicariously liable at all for breaches by its employees of the DPA.
The judge determined that it could because "A party may be held liable vicariously even for a breach of a Statute for which the party could not itself be held liable". It made no difference that the employee here had been acting as an autonomous, self-directing controller in respect of the relevant data and that the employer had fulfilled its own obligations under the DPA. The purpose of the DPA and the relevant European Directive would be defeated if "at the moment an employee decides to misuse data to which his employer has given him access the employer ceases to be under any further liability, on the basis that the employee thereafter will be data controller in respect of the misuse".
As to the facts of the particular case, the employer argued that there had been no "necessary connection" (limb (2) of the vicarious liability test) as the employee had used his own computer whilst at home on a Sunday in order to disclose the information on the internet.
That argument was rejected by the judge, who found that there had been "an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events". Dealing with this data was a task specifically assigned to him by the employer and when he had received the relevant data he had been acting as an employee.
Accordingly, the judge found that the employer was vicariously liable for the data breach. Quantum is to be assessed at a later date.
Nevertheless, at the conclusion of his judgment he added that "the point which most troubled me in reaching these conclusions was the submission that the wrongful acts of [the employee] were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims".
Accordingly, he gave leave to the employer to appeal his conclusion as to vicarious liability.
COMMENT: This decision (if it stands following the appeal) has potentially wide-ranging implications for companies and employers following the unauthorised disclosure of data by individual employees. By its nature, and as this case demonstrates, the potential number of victims following a data breach by an employee far exceeds the ordinary number of potential victims in most cases to date involving vicarious liability. The judge rejected an argument by the employer here that "the possibility of "eye-watering liability" may impose enormous pressure on a data controller to limit the presence of human agency". He commented that the potential difficulties faced by companies can be met by appropriate insurance. Whether the insurers will wish to address this risk, though, in policy wordings going forward, remains to be seen.