U.K. Employers Wary of Data Breach Liability From Rogue Employees

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

U.K. companies with even strong security are on alert because they could be held responsible for data breaches caused by employees following a recent landmark ruling, privacy and employment attorneys told Bloomberg Law.

After an employee of the grocery store company Wm Morrisons Supermarket PLC posted the personal information of 99,998 workers on a file-sharing site, 5,518 employees filed a group lawsuit over the breach of their data, including bank account and salary information. The England and Wales High Court of Justice absolved the company of primary liability under the country’s privacy statute but decided that it was vicariously liable for the actions of its former Senior IT Auditor Andrew Skelton, whom the court described as a rogue employee now serving an eight-year prison term.

The judgment “has serious implications for all businesses,” Alison Deighton, partner and head of data protection and privacy at London-based law firm TLT, told Bloomberg Law. It “means that even if a business has training and policies in place and appropriate security controls, if an employee decides to steal their data and use it in an unauthorized way, the business could be on the hook for this behavior.”

The court addressed only liability, leaving discussion of remedies, including ordering Morrisons to take corrective action and damages to compensate affected workers, for later. The company will be appealing the liability ruling, Morrisons said in a Dec. 7 statement provided to Bloomberg Law.

The financial implications for companies are major, Suzanne Horne, partner and head of employment law at Paul Hastings (Europe), in London, told Bloomberg Law. If Morrisons loses the appeal, “it will cost the supermarket millions,” she said. Upholding the vicarious liability holding would “open the floodgates for thousands of similar claims. The cost to companies is unquantifiable.”

The financial impact on Morrisons from the large number of plaintiffs in the case is unclear, as the court would have to assess questions of harm to workers whose information was compromised if the ruling is upheld.

Morrisons is the third largest publicly traded food and drug store in the U.K. with 16.32 billion pounds ($21.9 billion) in fiscal year 2017 revenue, according to Bloomberg data. The company has already spent more than 2 million pounds ($2.6 million) on litigation expenses and providing anti-fraud protection for affected workers, a Morrisons spokeswoman told Bloomberg Law.

Appeal Issues

In the liability ruling, Judge Brian Langstaff granted leave to Morrisons to appeal.

“The High Court judge himself indicated that he had doubts over whether the finding of vicarious liability should be upheld, particularly as this approach would mean that the court would assist the rogue individual with furthering his own criminal ends by finding Morrisons liable for the data breach,” Deighton said.

The court’s reasoning may leave it open to being reversed.

Because the court held that Morrisons didn’t violate its obligations under the Data Protection Act, “it cannot be that the employee’s criminal actions could be ‘carried out in the course of employment’—which is the standard test,” Horne said. Looking at similar vicarious liability scenarios involving employment discrimination, “an employer will not be liable if it can show that it took such steps as were reasonably practicable to prevent the employee from performing the discriminatory act,” she said.

Preventative Measures

Companies have had cybersecurity issues as a top priority in recent years, but this “added element of taking responsibility for employee misuse of data is a significant development of the law,” Horne said.

Even if they vet their workers and train them in data security, companies could find themselves liable for unauthorized actions of employees outside of work using personal computers, she said. Therefore, companies need to reassess their data security and employee oversight programs, she said.

Companies need to understand that “malicious employees could cause serious problems and create liabilities for data breaches,“ Deighton said.

The case is Various Claimants v. Wm Morrisons Supermarket, PLC , EWHC (QB) (U.K.), No. HQ15X05099, 12/1/17 .

To contact the reporter on this story: AliQassim in London at correspondents@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

For More Information

The court opinion is available at http://src.bna.com/uNO.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security