Can an Employer be Liable for an Employee’s Deliberate Data Protection Breach?

Data is an extremely lucrative and powerful commodity. During the first quarter of 2018, the Guardian reported that Facebook took £500,000 in revenue every five and a half minutes (the Guardian, 11/07/2018). With expansive volumes of data being held, high publicity surrounding breaches and the implementation of the General Data Protection Regulation (EU) 2016/679 (GDPR) on 25 May 2018, data protection has become one of the ‘hot topics’ of 2018.

Recently, the Court of Appeal heard the case of Wm Morrison Supermarkets plc v Various Claimants. This was the first group claim following a data breach in the UK. The Court of Appeal considered whether employers can be vicariously liable for data breaches by employees, even if the employer was not at fault under data protection laws or other legislation, and where the breach itself was prompted by a desire to cause harm to the employer.

What is vicarious liability?
Employers can be liable for the actions of its employees (and other persons in a relationship akin to employment) if the actions are carried out in the course of employment and where the actions are so closely connected with the employment that it would be fair and just to hold the employers vicariously liable.

The facts of the case
A disgruntled employee copied the personal data of 99,998 Wm Morrison Supermarkets plc’s (Morrisons’) employees onto a USB and posted it onto a file sharing website. The data consisted of names, genders, addresses, dates of birth, phone numbers, national insurance numbers, bank account details and salaries. The rogue employee anonymously sent a CD containing a copy of the data to three newspapers. Morrisons were informed and acted diligently. It took steps within a few hours to ensure the offending website was taken down and alerted the police. The rogue employee was convicted and sentenced to eight years’ imprisonment.

Following the breach, a claim was brought suggesting that Morrisons were vicariously liability for misuse of private information and breach of confidence. The Court of Appeal upheld the decision of the High Court that the wrongful acts occurred in the course of the rogue employee’s employment and, as a result, Morrisons is vicariously liable for the employee’s actions. The employee’s motive to cause damage to Morrisons was irrelevant. Consequently, Morrisons are liable to over 5,518 individuals for damages.

Steps to protect yourself
The outcome of this case, alongside the increased fines under the GDPR, are likely to increase the costs of an employer in the event of a data breach who could be liable, not just for fines and reputational damage but also for compensation. Employers must seriously consider data legislation and how they can best protect themselves both against outside breaches and those which could be caused by employees. The Court of Appeal indicated that ‘the solution is to insure against such catastrophes’ though it remains uncertain of the effectiveness of insurance in practice.

In any event, fines will undoubtedly be higher if an employer does not have effective measures in place to comply with data protection legislation. It is important to carry out measures such as data protection impact assessments, providing privacy notices to data subjects, implementing policies and procedures to deal with breaches effectively and reviewing contracts of employment and staff handbooks.

If you need any assistance with data protection compliance or employees, please contact a member of our Employment Law team.