Employers liable for data breach by employees
A recent case involving the supermarket giant Morrisons is a timely reminder to employers of the importance of ensuring data security.
This case involved a disgruntled senior IT Manager who harboured a grudge against his employer following disciplinary action taken against him the year before. In an attempt to cause his employer harm, he deliberately published on the internet the personal details of almost 100,000 Morrisons employees (including their names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salary) and sent the details to three newspapers. The data had originally been given to him as part of his role (it was needed for an audit), but he had published the details from his home, on his personal computer and outside working hours. The rogue employee, Mr Skelton, was duly tried and convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA) and sentenced to eight years in prison.
Over 5,000 employees subsequently brought claims against Morrisons for breach of statutory duty in relation to the DPA, for the misuse of private information and for breach of confidence. They claimed that the data disclosure exposed them to potential identity theft and other financial loss and sought compensation for the distress and loss caused. Morrisons denied liability and one of their arguments was that they were not liable for the criminal actions of the IT Manager.
The case came before the High Court earlier this month who ruled that Morrisons were vicariously liable for their employee’s conduct. They found that his actions had been in the course of his employment, on the basis that the conduct was closely connected with his authorised duties. In particular, Mr Skelton had been given access to the information as part of his duties. The court held that there was a seamless and continuing sequence of events and a sufficient connection between his employment and the wrongful conduct.
This decision has particular significance in light of the EU General Data Protection Regulation (GDPR) which will come into force on 25 May 2018 and impose much stricter obligations on employers and other data controllers. Under the new regime, data breaches of this nature must be reported to the Information Commissioner and the individuals affected within 72 hours of the controller becoming aware of the breach. Failure to comply with the GDPR can result in penalties of up to 4% of global turnover (or 20 million euros).
This case and the GDPR should put data security at the forefront of organisations’ risk management strategies. It is important that organisations:
- are not only aware of the significant changes being brought in by the GDPR but are taking steps now to prepare for and implement the necessary changes to ensure compliance come 25 May 2018;
- ensure that staff policies on data protection and cyber security are up-to-date and fit for purpose; and
- ensure that staff are aware of policies and procedures on data protection and cyber security.
For employers who have taken these steps and provided relevant and adequate training to their employees, the outcome for them might be different; however, they will still have obligations to ensure data security.
Morrisons have been granted the right to appeal this decision and so this may not be the final chapter in this case.
The full case report can be found here.
This article was co-authored by David Flint, Senior Partner.
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.