The first instance decision in this case was reported in Weekly Update 44/17. A disgruntled employee of the defendant employer leaked the personal details (including bank account details) of almost 100,000 other employees on the internet. The employee was a senior IT auditor and had been motivated by a grudge against his employer. At first instance, the judge found that the employer was not directly liable for the breach, which it had not authorised or required, and it had not been the "data controller" at the time of the breach. The employer had put in place adequate and appropriate controls and there had been no indication that the employee, although upset by recent disciplinary action, could not be trusted to do his job. There was no appeal from that decision. However, the judge found that the employer was vicariously liable for the breach and the employer appealed against that decision.
The Court of Appeal has now dismissed that appeal. It agreed with the judge that it is possible for an employer to be held to be vicariously liable for breaches by its employee of the Data Protection Act 1998 ("the DPA"). It held that it was not implicit that Parliament had intended to exclude vicarious liability from the scope of the Act: "if Parliament had intended such a substantial eradication of the common law and equitable rights, it might have been expected to say so expressly".
The Court of Appeal also agreed that, on the facts, the judge had been correct to find that there had been a "seamless and continuous sequence" of events between the breach and the employment relationship. Dealing with the employees' data was a task specifically assigned to this employee. Nor did it make any difference that the breach took place away from the workplace, using his own computer on a Sunday. The Court of Appeal referred to the recent decision in Bellman v Northampton Recruitment (see Weekly Update 36/18) (which was handed down the day after the hearing in this case), in which the employer was held vicariously liable for a tort committed away from the workplace.
At first instance, the judge had added that "the point which most troubled me in reaching these conclusions was the submission that the wrongful acts of [the employee] were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims". The Court of Appeal dismissed those concerns. Prior cases have held that the motive of the employee in a vicarious liability case is irrelevant and there was no exception where the motive was to cause financial or reputational damage to the employer.
Nor did it matter that the potential scale of litigation against employers for data breaches could be ruinous for some employers. The Court of Appeal believed that insurance was the answer: "The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments".