Is an employer liable for a data breach by an employee?
The Supreme Court issued its judgment in WM Morrison Supermarkets plc v Various Claimants on 1 April 2020, which included consideration of whether an employer of a controller of personal data could be vicariously liable.
The majority of the judgment relates to whether or not Morrison Supermarkets were vicariously liable for the actions of a disgruntled employee regarding a data protection breach.
The case demonstrates the importance of organisations ensuring that they have appropriate control mechanisms in place to mitigate the risk of misuse of personal data by employees. This is ever more important in the current circumstances with many employees working from home and employers should have security measures in place to prevent employees from transferring personal data from organisational systems to personal systems.
The facts of the case
The circumstances of the case involved a disgruntled employee of Morrison Supermarkets publishing personal data relating to a large number of other employees on the Internet.
The employee committing the breach was given access to the personal information of around 126,000 employees in his position as a senior auditor. After completing the relevant audit task, the employee surreptitiously copied the information to a personal USB stick and uploaded a file containing the personal data of 98,998 to a publicly accessible file-sharing website.
The employee then took steps to notify three newspapers of the information being available online on the day when Morrison Supermarkets’ financial results were due to be published. One of the newspapers notified Morrison Supermarkets, which then took steps to remove the personal data and inform the police within a few hours.
As a result of the above disclosure, the claimants in the case raised an action against Morrison Supermarkets as a result of the employee’s breach and sought to argue that Morrison Supermarkets was vicariously liable for the employee’s conduct.
In its judgment, the court considered the “close connection” between the disclosure of the personal data by the employee and his duties in the course of his employment in terms of whether vicarious liability ought to be imposed.
The court concluded that the employee’s wrongful act was not so closely connected with his authorised duties under his employment as he was not engaged in furthering his employer’s business when he committed the breach but, rather, a personal vendetta. Accordingly, Morrison Supermarkets was held not to be vicariously liable for the employee’s conduct.
The need for organisations to have appropriate control measures in place
However, the judgment contains an interesting position with regards to liability of employers in respect of data protection breaches.
The judgment refers to the Data Protection Act 1998 (the DPA), which has now been replaced by the Data Protection Act 2018, and the court considered the question of whether the DPA excluded the imposition of vicarious liability for a breach committed by a controller of personal data under the DPA.
This was relevant in the particular circumstances of the case as when the employee took the personal data from his work and used it for his own purposes, he became a controller of that personal data.
Morrison Supermarkets sought to argue that the DPA made it clear that liability was only to be imposed on controllers of personal data, and only where “they had acted without reasonable care”. However, the court was not persuaded by this argument and opined that an employer of a controller of personal data could be held to be vicariously liable for any breaches committed by their employees.
Get in touch
If you have any questions regarding data security and the implications of this judgement, or issues related to Data Protection, please get in touch.
Call us for free on 0330 912 0294 or complete our online form below for legal advice or to arrange a call back.