Data breach – employer’s liability for an employee’s wrongdoing

Employers can be liable for wrongdoing committed by an employee where there is a sufficient connection between the employment and the wrongdoing. We reported last year on a case in which the employer was found liable for an assault on a customer by an employee.

The High Court has now considered the first ever class action concerning a data breach, brought by 5,518 workers after personal details of almost 100,000 colleagues were posted on the internet.

Mr S was employed as a senior IT internal auditor. He was in a position of trust and had access to personal data about employees which was sensitive and confidential, including payroll information. The employer’s external auditors requested payroll data from the employer for audit purposes. Mr S was tasked with sending that information to the auditors. The data was contained on secure software, to which only a few employees (but not Mr S) had access. Mr S was given an encrypted USB stick containing the information which he downloaded to his work computer. He then loaded the information onto another USB stick provided by the auditors and forwarded it to them.

Mr S then copied the downloaded data from his computer onto a personal USB stick and posted it on a file sharing website. Mr S had used another employee’s details to open an account in order to post the file onto the internet.

The co-workers whose data had been disclosed brought a group civil claim against the employer for compensation for a breach of its duty under the Data Protection Act, misuse of private information and breach of confidence.

The High Court held that the employer was vicariously liable for the acts of Mr S. It took into account a number of factors. There was a seamless and continuous sequence of events that linked Mr S’s employment to his disclosure. Mr S was not only given access to data through his work, his employer deliberately entrusted him with it. In his role, he had information which was confidential or had limited circulation only. His role was to receive and store payroll data and disclose it to a third party – the fact he chose to disclose it in an unauthorised way was still closely related to what he was tasked to do. When he received the data, he was acting as an employee. The chain of events from then until he disclosed the information was unbroken. The fact that the disclosures were made from home, using his personal equipment on a non-working day, did not disengage them from his employment. The fact that Mr S was motivated by a grudge relating to earlier disciplinary proceedings did not prevent the employer being liable, particularly where the grudge was work related.

There was in this case sufficient connection between the position in which Mr S was employed and his wrongful conduct to make the employer vicariously liable for Mr S’s conduct.

Comment

The employer has been granted leave to appeal so we may not have heard the last of this case. However, the High Court’s decision could cause concern for employers. The employer in this case had several measures in place to ensure the security of information, but this decision suggests that even so, an employer could be found liable for the actions of an employee misusing data even where that misuse is intended to cause reputational or financial damage.

Employers should be aware of and be preparing for the introduction of the GDPR in May 2018, which will replace the Data Protection Act. Our next employment law update, where we will consider the employment implications of the GDPR is on 23 January 2018.

Various claimants v Wm Morrisons Supermarket PLC [2017] EWHC3113

12 December 2017

LAST POST