Are employers now liable for rogue employees’ data protection breaches?

The General Data Protection Regulations (GDPR) will come into force on 25 May 2018. Whilst organisations are (or at least should be) gearing up for GDPR, the recent decision in Various Claimants v WM Morrisons Ltd serves as a reminder of their current data protection obligations and the possible consequences of breaching them. Worryingly for employers though, it widens the scope of their liability for acts undertaken by rogue employees acting alone and potentially outside of working time.

What happened?

Andrew Skelton was employed as a Senior IT Auditor by Morrisons. He was disciplined by Morrisons for an act of misconduct. Disgruntled by this sanction he plotted to get back at Morrisons by anonymously leaking the personal data of nearly 100,000 Morrisons’ employees onto the internet with the intention of Morrisons suffering significant reputational damage as a result. Mr Skelton had access to this personal data because he was given the responsibility of transferring the employees’ payroll data to its external auditors. Without Morrisons’ knowledge or consent, Mr Skelton copied the personal data shortly after transferring it to the auditors and uploaded it onto the internet.

Some of the employees brought a claim against Morrisons that whilst Mr Skelton had acted alone and without their consent or knowledge, Morrisons were either directly liable for his actions or vicariously liable. The Court found Morrisons were not directly liable for data protection breaches but because his misuse of personal data was closely related to what was required of him during his employment (the transferring of data to the auditors), Morrisons were vicariously liable for his actions.

Why is this an issue?

The decision will be seen by some employers as quite harsh because Mr Skelton leaked the data from his home computer outside of working time and did so with the intention of causing serious harm to Morrisons. Indeed, this was recognised by the Court which has already given Morrisons permission to appeal the decision.

If any appeal is unsuccessful, this could open the floodgates for more claims of vicarious liability against employers for data breaches committed by their employees. Not only could this lead to civil damages and financial penalties but potentially reputational damage from the publicity such cases generate.

What do I need to do?

It’s important to note that the outcome of this case would not have been different under GDPR.

If you haven’t already started gearing up for GDPR compliance, now is a good time to do so. Employers who breach the GDPR will be liable to criminal prosecution and a fine of up to €20m or 4 per cent of global annual turnover, whichever is the greater.

Data security protocols, data protection policies and privacy statements should be reviewed and updated and training for staff who will have access to personal data should be provided on a regular basis with records being kept. The Morrison’s case also suggests that risk assessments should be considered before decisions are made about which employees have access to significant quantities of personal data and adequate security protocols put in place if that data is being transferred.

If you have got any concerns about whether you have got about being GDPR ready please contact Carolyn Brown.