In the first group action brought under the Data Protection Act, the High Court has held that a company can be vicariously liable for a rogue employee's data leak.
In 2014, a senior IT auditor (Mr Skelton) employed by the supermarket Morrisons leaked the confidential personal data of nearly 100,000 Morrisons' employees to a file-sharing website. Skelton obtained the data as part of his role in the supermarket's annual audit. The data included bank account details and national insurance numbers of staff, exposing employees to the risk of fraud and identity theft. The leak was triggered by Skelton's malice towards his employer following an unrelated formal disciplinary warning.
Skelton was convicted under the Data Protection Act 1998 (DPA) and the Computer Misuse Act 1990 and sentenced to 8 years imprisonment.
In civil proceedings brought by over 5,000 affected Morrisons' employees in the High Court, in the first ever group litigation data breach case, the court was asked to decide whether Morrisons was either directly or vicariously liable for Mr Skelton's actions.
The Court held Morrisons was not directly liable for the data leak. The leak was carried out by Skelton alone and Morrisons had no reason not to trust him. Morrisons did not directly misuse any information personal to the data subjects nor did they authorise its misuse. The Court considered the data protection principles under the DPA, in particular Principle 7 requiring appropriate technical and organisational measures to protect against unlawful processing of personal data, and found there was no failing by Morrisons which caused or contributed to the unlawful disclosure. Further measures to safeguard personal data, such as monitoring employee internet searches, would be disproportionate, invasive and impractical.
However, Morrisons was held to be vicariously liable for Skelton's actions. The Court noted that dealing with the data was a task specifically assigned to Skelton and he was also tasked with disclosing it to a third party (Morrisons' auditors). It therefore follows, the Court held, that when Mr Skelton received the data, though intending to copy it for misuse, he was acting as an employee and there was an "unbroken thread that linked his work to the disclosure" for which, the Court held, Morrisons was vicariously liable. This was true, the Court held, irrespective of the fact that Skelton carried out the leak using his personal laptop, at home and outside of working hours.
The Court's decision was on liability only and a further trial will determine the level of distress damages payable to the claimants.
The case has profound implications for data controllers who may be the victim of a cyber-security breach carried out by rogue employees.
Even in circumstances where data controllers have robust controls to safeguard personal data, and are innocent of any wrongdoing, the actions of a single rogue employee can open them up to potentially "eye-watering" financial liability.
The case is a warning for companies to review data policies, especially where their employees deal with ultra-sensitive information. Companies should also check insurance policies for appropriate cover and, if not covered, explore the increasing number of cyber-security insurance options available. It is also advisable to have a data security breach response strategy in place to mitigate the actions of rogue employees.
Possibly aware of the unease its decision would cause, the Court granted Morrisons permission to appeal the vicarious liability decision. With the data protection landscape due to change when the General Data Protection Regulation comes into force later this year and individuals becoming more aware of data protection rights, the outcome of the appeal will be of interest to any business holding sensitive employee data.