Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Ali Qassim
U.K. companies with even strong security are on alert because they could be held responsible for data breaches caused by employees following a recent landmark ruling, privacy and employment attorneys told Bloomberg Law.
After an employee of the grocery store company Wm Morrisons Supermarket PLC posted the personal information of 99,998 workers on a file-sharing site, 5,518 employees filed a group lawsuit over the breach of their data, including bank account and salary information. The England and Wales High Court of Justice absolved the company of primary liability under the country’s privacy statute but decided that it was vicariously liable for the actions of its former Senior IT Auditor Andrew Skelton, whom the court described as a rogue employee now serving an eight-year prison term.
The judgment “has serious implications for all businesses,” Alison Deighton, partner and head of data protection and privacy at London-based law firm TLT, told Bloomberg Law. It “means that even if a business has training and policies in place and appropriate security controls, if an employee decides to steal their data and use it in an unauthorized way, the business could be on the hook for this behavior.”
The court addressed only liability, leaving discussion of remedies, including ordering Morrisons to take corrective action and damages to compensate affected workers, for later. The company will be appealing the liability ruling, Morrisons said in a Dec. 7 statement provided to Bloomberg Law.
The financial implications for companies are major, Suzanne Horne, partner and head of employment law at Paul Hastings (Europe), in London, told Bloomberg Law. If Morrisons loses the appeal, “it will cost the supermarket millions,” she said. Upholding the vicarious liability holding would “open the floodgates for thousands of similar claims. The cost to companies is unquantifiable.”
The financial impact on Morrisons from the large number of plaintiffs in the case is unclear, as the court would have to assess questions of harm to workers whose information was compromised if the ruling is upheld.
Morrisons is the third largest publicly traded food and drug store in the U.K. with 16.32 billion pounds ($21.9 billion) in fiscal year 2017 revenue, according to Bloomberg data. The company has already spent more than 2 million pounds ($2.6 million) on litigation expenses and providing anti-fraud protection for affected workers, a Morrisons spokeswoman told Bloomberg Law.
In the liability ruling, Judge Brian Langstaff granted leave to Morrisons to appeal.
“The High Court judge himself indicated that he had doubts over whether the finding of vicarious liability should be upheld, particularly as this approach would mean that the court would assist the rogue individual with furthering his own criminal ends by finding Morrisons liable for the data breach,” Deighton said.
The court’s reasoning may leave it open to being reversed.
Because the court held that Morrisons didn’t violate its obligations under the Data Protection Act, “it cannot be that the employee’s criminal actions could be ‘carried out in the course of employment’—which is the standard test,” Horne said. Looking at similar vicarious liability scenarios involving employment discrimination, “an employer will not be liable if it can show that it took such steps as were reasonably practicable to prevent the employee from performing the discriminatory act,” she said.
Companies have had cybersecurity issues as a top priority in recent years, but this “added element of taking responsibility for employee misuse of data is a significant development of the law,” Horne said.
Even if they vet their workers and train them in data security, companies could find themselves liable for unauthorized actions of employees outside of work using personal computers, she said. Therefore, companies need to reassess their data security and employee oversight programs, she said.
Companies need to understand that “malicious employees could cause serious problems and create liabilities for data breaches,“ Deighton said.
The case is Various Claimants v. Wm Morrisons Supermarket, PLC , EWHC (QB) (U.K.), No. HQ15X05099, 12/1/17 .
To contact the reporter on this story: AliQassim in London at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
The court opinion is available at http://src.bna.com/uNO.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)