The Court of Appeal has confirmed that employers can be liable for data breaches perpetrated by rogue employees, even where the employer is not directly at fault.
The decision is a significant blow to employers who had hoped for a reversal of the High Court decision last year (see our blog here). The case involved a disgruntled employee of the supermarket chain Morrisons, who leaked the payroll data of around 100,000 fellow employees online and to newspapers. The High Court held that, although Morrisons was not primarily liable for the data breach, it was vicariously liable for the unlawful acts of its employee.
An employer will be vicariously liable for the actions of its employee if that employee is acting ‘in the course of the employment’, even where those acts are unlawful. Whether the acts are sufficiently closely connected with employment to be ‘in the course of the employment’ will depend on the facts of the particular case.
In this case, the Court of Appeal agreed that they were sufficiently closely connected – the rogue employee’s acts in sending the data to third parties were ‘within the field of activities’ assigned to him by Morrisons, and there was an unbroken thread that linked his work to the unlawful disclosure. On this basis, it was held that the employee was acting in the course of his employment, rendering Morrisons vicariously liable for the losses suffered by those affected by the breach. This was the case despite the fact that the employee leaked the data specifically in pursuit of a grudge against his employer. Counsel for Morrisons argued in vain that holding employers liable in such circumstances ‘might have a chilling effect on enterprise and efficiency.’
What does this mean for employers? The decision is troubling as it demonstrates that businesses can be held liable for an unlawful data breach even where they are not at fault and could do little to prevent the wrongdoing. As pointed out in the judgments, there is a danger that the decision could incentivise disaffected employees into abusing their access to data in order to harm their employer. Ultimately it may contribute to an uptick in group actions against employers for these kinds of incidents, with the potential for significant damages awards. The Court of Appeal’s response to these objections is that employers should seek appropriate insurance cover, although the existence of insurance cover does not affect the legal analysis. Businesses should consider whether their current policies properly protect them against this risk.
This was a case of an employee with authorised access to significant amounts of employee data behaving in a criminal way. This type of risk is probably the hardest for businesses to guard against. However, if businesses can be held liable in these circumstances, then – as well as insurance - businesses should review how they manage ‘authorised access’. They should also review how they assess individuals to be suitable for positions where they can access data and consider the extent to which they should make changes to existing data security procedures.
The Court of Appeal judgment is here. Morrisons has said that it will appeal to the Supreme Court. No decision has yet been made on the amount of any compensation.