Morrisons ruled as vicariously liable for employee's data breach

It’s the story everyone in data protection is talking about. The High Court has ruled that an employer can be vicariously liable for an employee’s misuse of data, even when they can demonstrate that they’ve done as much as reasonably possible to prevent the misuse and when the misuse of data is intended to cause reputational or financial damage to the employer.

The facts

5,518 employees brought a claim against Morrisons (the supermarket chain) for ‘distress-based damages’ following a leak of (nearly 100,000 employees’) payroll data by a rogue employee. The employee in question had copied the data, as part of his job, and used his personal computer, out of working hours, to publish it online.

The court found that the employee was the data controller (not Morrisons). When the data was published Morrisons’ only breach of data protection law was in not having an organised, failsafe system for how they would go about deleting data stored, albeit temporarily, on an employee’s own computer. The court found that Morrisons had not breached the data protection laws, themselves, in allowing the employee access to the data, as they had no reason to consider that he posed a risk, at that time.

However - and this is where this case is important for employers - the court did hold that Morrisons was vicariously liable for the employee’s conduct. Even though the purpose of the employee’s actions had been to damage Morrisons the judge ruled that the Data Protection Act didn’t exclude vicarious liability and, similarly, didn’t prevent there being vicarious liability for common law claims of misuse of private information, as well as breach of duty of confidence. Because the employee had received and copied the data as part of his job, the chain of events, testing whether it was done ‘in the course of his employment’ was unbroken. Therefore, the judge ruled that Morrisons was vicariously liable for the employee’s actions.

Morrisons intends to appeal this decision. The judge, in handing down his ruling, did voice reservations considering that the actions were aimed at inflicting harm on his employers. We await the appeal.


Considerations for businesses

The GDPR, coming in on 25th May 2018, will impose significantly tighter obligations on both data controllers as well as data processors. Importantly, and relevant to this case, it introduces mandatory ‘privacy by design’ obligations whereby  organisations must adopt and implement measures to embed privacy and data protection compliance into working practices. In plain English this means making sure there are clearly documented and understood measures in place for processing personal data in such a way that the data cannot be linked to an individual, without the use of additional information, kept separately and securely.

This might feel like a significant regulatory burden but it would have had made the outcome of this case different, had it already been in place. If individuals cannot be identified not only would it reduce the ‘usefulness’ of the data in malicious circumstances such as this, but it would also reduce the chance of a claim against the organisation itself. Finally, the regulators would look more favourably on an organisation whose data breaches only affect pseudonymised or encrypted data.

In short, if businesses cannot demonstrate that they have GDPR-compliant technical and organisational measures in place, to prevent data breaches, they could be facing significant fines in the future… even if the breaches have taken place because of malicious intent on the part of employees.