In a decision that will concern all employers, the High Court has held that Morrisons supermarket was liable for the deliberate data breach by one of its employees, even though he intended to cause harm to his employer.
The employee in question worked for Morrisons as an internal auditor and one of his tasks was to provide payroll data to the external auditors to assist with the annual audit.
He held a grudge against Morrisons after earlier disciplinary action had been taken against him in an unrelated matter and took the opportunity to post the payroll data of nearly 100,000 employees of Morrisons on the internet.
The employee was convicted of criminal misuse of the payroll data and 5,518 of the affected Morrisons employees subsequently took group action to recover damages from Morrisons for the distress caused by the wrongful disclosure of their personal data. The High Court had to decide whether Morrisons was liable, either directly or vicariously, for the employee’s actions.
The High Court held that Morrisons was not directly liable for the deliberate data breach. Although Morrisons was the data controller of the payroll data and they gave the employee access in his capacity as an internal auditor, it ceased to be the data controller when he copied the data and published it on the internet outside working hours from a personal computer and without Morrisons’ consent. The employee became the data controller when he copied the data.
The court held that, on the whole, Morrisons had put in place appropriate security measures, including encryption. It should also have ensured the payroll data was deleted from the employee’s work computer after it had been passed to the external auditors but it was held this did not contribute to the wrongful disclosure.
So far, so good, for Morrisons. But the High Court went on to hold that Morrisons was vicariously liable for the breach. For an employer to be vicariously liable for an employee’s actions the employee must be acting in the course of his or her employment.
The High Court held that there was a series of events which created a sufficient link between the employee’s role (giving him access to the payroll data) and his breach, such that it could be held that the breach arose during the course of his employment. This was sufficient to establish vicarious liability, despite the court holding that the employee had become the data controller, that the proper performance of his duties did not involve unauthorised disclosures of personal data and that the employee intended to cause Morrisons harm. Morrisons was given permission to appeal the decision.
This is a concerning decision for all employers. On one hand the court held Morrisons had taken appropriate measures to secure the payroll data and it was therefore not directly liable for the breach. On the other hand it has rubbed salt into Morrison’s wound by holding it vicariously liable for its employee’s rogue actions.
The amount of damages payable to the Morrisons’ employees was not determined by this decision, which was only concerned with whether Morrisons was liable. However, given the large number of employees affected, even a small damages payment per employee would amount to a significant aggregate cost.
With the General Data Protection Regulation applying from 25 May 2018, this decision could herald more group actions as employees become more aware of their rights and the potential fines against data controllers (and, for the first time, data processors) become more costly.