Data leaks and employer liability
Picture the scene:
You’re a conscientious employer. You diligently follow data protection laws. One day, you discover your senior IT auditor has been running a slimming drug supply operation from the office mail room, but you let him off with a verbal warning. When that same employee comes by, as part of his job, the personal data (including bank details) of some 100,000 other employees and, in an act of vengeance, posts it online, you move swiftly to remove the offending material and call the police. The employee gets eight years in prison, but surely you’re not liable for anything. Right?
Various Claimants v. Wm Morrisons Supermarkets plc
Such was the position in which Morrisons found itself in the above named case, which reached the Court of Appeal this month. In the first data leak class action in the UK, some 5,000 victims of the leak sued Morrisons over its failure to protect their personal data. The supermarket was found to be vicariously liable and, though the level of damages is yet to be decided (and subject to the appeal), the decision potentially has significant ramifications for employers.
On the facts, Morrisons didn’t do a lot wrong. It was found to have had in place appropriate data protection measures. The employee committed the offence at home on a Sunday, using his personal computer. In fact, other than “worry, stress and inconvenience” on the part of the defendants, it doesn’t appear anyone suffered a financial loss as a result of the leak (unlike Morrisons, which spent some £2 million tackling it). Nevertheless, the judge found an “unbroken thread” between the unauthorised disclosure and the culprit’s work as an employee. Morrisons, in allowing the employee to access the data, had taken “the risk that they might be wrong in placing the trust in him”, and was liable as his employer.
Following the rules not enough?
The judge stated that, in deciding the appropriate level of data protection, employers must weigh the risk of the activity in question (including the severity of harm that may result from a breach) against the costs of protective measures and the importance of conducting the activity. Accordingly, a company with over 100,000 employees is held to a higher standard than one with only a handful.
- Balancing protections with the level of risk
The offending employee came by the data when asked to pass it on to Morrisons’ external auditors. The file being too large to email, it was taken out of a secure system and placed onto a USB stick. Despite being generally commended for its approach to data protection, Morrisons was chided for its failure to have in place a procedure for deletion of the data post-transfer (though on the facts, there was no liability attached, since this was found not to be the cause of the leak). The judge found Morrisons should have conducted checks to ensure the data had been deleted.
- The importance of deleting data
Danielle Lloyd v Carphone Warehouse from 2011 is a good example of how not to handle a data breach. After an enterprising employee tasked with transferring data between phones discovered and tried to sell personal photos of Ms Lloyd to the tabloids, an initial claim for £2,500 was allowed to spiral into £150,000 of legal costs and a £10,000 out-of-court settlement. Morrisons, by contrast, managed the breach reasonably well, but they did, during a successful claim for damages against the employee, make a point of the distress caused to the victims. Naturally, this can hardly have helped when those same victims turned around and sued Morrisons for the same suffering.
- The importance of a plan
With the introduction of the GDPR and resulting heightened awareness around personal data, such class actions are likely to become more prevalent. The Morrisons case shows that even where compliance levels are sufficient to avoid a fine under the GDPR, that may not be enough to prevail in subsequent group litigation.
It serves as another reminder to employers to only process data where strictly necessary, to think carefully about which individuals are granted access, and to ensure data is immediately deleted once it is no longer needed. Having clear employment policies, training and contracts is also essential.
The Ignition Law team are experts in data protection and employment planning and management for start-ups and SMEs. For assistance, please contact Andrea Ward at firstname.lastname@example.org.