Vicarious liability for deliberate data breaches
Can a business be held vicariously liable for the actions of an employee who deliberately breaches its employer's data protection policies and data protection law?
In late 2013 the Defendant, Morrisons, had tasked one of its senior IT auditors, Andrew Skelton, with providing KMPG a copy of its payroll master file for the purpose of its annual statutory audit process. Without Morrisons' knowledge, Andrew Skelton retained a copy of the payroll master file and later posted the payroll data to a file-sharing website and sent copies of the data to various newspapers. The data concerned almost 100,000 employees.
The newspapers alerted Morrisons to the data breach and Andrew Skelton was subsequently arrested and convicted of criminal offences in relation to his misuse of the payroll data. Mr Skelton's motive was found to be malicious and in response to a disciplinary sanction imposed by Morrisons earlier in 2013. Despite Morrisons acting quickly to protect the affected employees upon learning of the data breach, just over 5,500 employees brought claims against Morrisons.
The Claimants brought a claim for compensation for breach of statutory duty under s.4(4) DPA, and at common law for misuse of private information and breach of confidence. They argued that Morrisons bore both primary and vicarious liability for Skelton's acts.
Langstaff J found that Morrisons was not liable for any direct breach of the DPA which would have caused the unauthorised disclosure of the employees' personal data. In particular, he found that the extraction and transfer of the data to Skelton had been secure and, even if it had not been, was not the cause of the publication of the unauthorised data online. There had been no breach of the seventh principle in permitting Skelton access to the data.
While Morrisons were not liable under the DPA, the Claimants did succeed with their alternative argument that Morrisons should be vicariously liable for the actions of Mr Skelton. Langstaff J found that "there was an unbroken thread that linked" Skelton's work to the disclosure, that Skelton had been deliberately entrusted with the data by Morrisons, and was acting as an employee when he received the data. The Judge rejected the contention that the fact that the disclosures were made at the weekend, using personal equipment at home, disengaged them from his employment. Skelton's motive was irrelevant in determining vicarious liability.
Why is this important?
The implication of the judgment is that, notwithstanding an organisation achieving compliance with its obligations as a data controller, at not insignificant expense, data controllers may nevertheless be held liable for the conduct of an employee acting on their own account even where those actions are criminal and deliberately targeted at harming the organisation; there is an obvious tension in such a finding.
Any practical tips?Where regulatory compliance may save a data controller from the abundant fines available to the ICO under the GDPR, this will not be sufficient to avoid the prospect of liability for compensation and costs in group litigation, whether brought by individuals themselves or by a not-for-profit on their behalf under the new rights afforded by the GDPR. Businesses need to take appropriate steps to prepare for such potential liability, in particular obtaining insurance cover against the risks and having robust processes in place to mitigate the risks when a data breach occurs.