Prior to the introduction of the General Data Protection Regulation (GDPR) earlier in 2018 many businesses took the time to review their practices around the use of personal data to reduce any potential risk of accidental breaches of their obligations. Such breaches could give rise to claims by those whose data has been misused, but can an organisation still be liable for breaches which occur as a result of the malicious actions of a disgruntled employee? Who ultimately holds responsibility for ensuring adherence to the Regulation?
In the recent case of Wm Morrison Supermarkets Plc v Various claimants  EWCA Civ 2339, the Court of Appeal upheld an earlier decision that an employer was liable for the misuse of personal data by a rogue employee, even though the employee had set out to deliberately harm his employer.
What recourse do individuals have if their data rights are breached?
Although the Information Commissioner was established as the independent authority to uphold information rights in the UK, individuals can also look to the courts for compensation. Where personal data is misused individuals can bring claims for a breach of confidence if it can be established that confidential information was provided to a data controller in circumstances where there was an obligation of confidence and that its subsequent disclosure caused the individual to suffer a detriment. In addition, an individual can also bring a claim for the wrongful disclosure of private information.
These claims were the basis for the Morrisons case. An internal IT auditor, who held a grudge against the business, copied the personal data (including payroll data) of nearly 100,000 employees on to a USB stick. From home, he then posted the information on the internet and used another employee’s details in an attempt to avoid detection. This deception was unsuccessful as he was identified as the source of the breach and subsequently convicted of criminal offences.
Who ultimately holds the responsibility?
Being a private individual of limited means there was little to be gained by any of the affected employees in bringing a claim against this rogue employee. Instead, the claimants issued proceedings against Morrisons, alleging that it was vicariously liable for the actions of its erstwhile employee.
In order for an employer to be vicariously liable for an employee’s actions, it is necessary to show that there is a sufficiently close connection between the employment of the wrongdoer and their unlawful actions. The High Court held that although Morrisons was not directly responsible for the data breaches there was a sufficiently close connection between the position in which the employee had been employed for Morrisons to be held liable for his actions.
Morrisons appealed to the Court of Appeal, in part on the basis that it could not be liable for their employee's actions as they had taken place out of hours, at the employee’s home and therefore were not during the course of his employment. Their appeal was unsuccessful, with the Court finding that the liability was established once the employee had improperly downloaded the data onto the USB stick while at work. In addition, there was a seamless and continuous sequence of events from downloading the data, posting it and taking steps to cover his tracks, which were all part of a plan.
The Court acknowledged that in holding Morrisons liable for the employee’s actions it was in part furthering his aim of causing it harm. However, it took the view that if it found in favour of Morrisons, in the hypothetical circumstances that data was used to obtained large sums of money from employees bank accounts, those affected would have no remedy except against the rogue employee personally.
Further developments to come
This decision has been appealed to the Supreme Court, and therefore this may not be the final word on the matter. As things stand, Morrisons faces considerable liabilities with the case originally being pursued by 5,518 of the 100,000 affected employees. Although any possible compensation awarded to each individual claimant may not be substantial, the combined payments would potentially be and Morrisons would then face the prospect of further claims by other affected employees.
What does this mean for other businesses?
In light of this ruling, businesses should consider how best to protect themselves from potential claims arising from the malicious actions of employees, as well as inadvertent data breaches. Such steps may include insuring themselves against claims arising out of similar malicious actions, either through existing public liability insurance or bespoke cyber insurance policies. In addition, businesses should also ensure that they have clear and robust Data Protection policies and security provision, accompanied by appropriate training.