Data breach stories continue to hit the news, and will only continue to do so as we get ever closer to the new GDPR regime in May 2018. Whilst the GDPR brings with it the risk of substantially increased fines for those businesses in breach of its principles, a data breach may also lead to individuals, who are increasingly aware of their data rights, bringing claims for damages. Such claims can be for distress caused by the breach, even where no monetary loss has been caused.
Employers must of course be alive to potential liability for their own acts. A recent High Court decision (Various Claimants v Wm Morrisons) has highlighted the risk also of vicarious liability for data breaches, i.e., for the acts of their employees. The case concerned a data breach at supermarket giant, Morrisons, and is the first group litigation data breach claim, with 5,500 employees joining the action. Morrisons has been given permission to appeal, and the Court of Appeal will hear its arguments in October this year.
In 2014, a disgruntled Morrisons employee, a senior IT auditor, posted a file containing the personal details of some 100,000 employees on a file sharing website. The data comprised names, addresses, gender, dates of birth, phone numbers, national insurance numbers, banking details and salaries. The breach had serious implications for Morrisons, including a reduction in its share price and reputational damage.
The employee was subsequently imprisoned for eight years for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998. His actions were motivated by a grudge targeted against Morrisons, and caused significant damage to its reputation. In most cases of vicarious liability, the fact that the act is done for the employer's benefit is highly material to a finding that it was done during the course of employment. However, the Court decided that Morrisons should be liable for the actions of its employee, who was undertaking his normal duties, albeit in a malicious way, and thereby effectively punishing it further for its rogue employee's actions.
The Court rejected Morrison's argument that the Data Protection Act excludes any possibility of vicarious liability, and its other arguments of public policy. The employee had carried out the data breach during the course of his employment because:
- There was an unbroken thread that linked his work to the disclosure.
- Morrisons had deliberately entrusted him with the payroll data.
- His role was to receive and store the payroll data and to disclose it to a third party.
- When he received the data, even though he was covertly intending to copy it for misuse, he was acting as an employee and the chain of events from then until disclosure was broken. It did not matter that he made the disclosures from home, using his personal equipment and on a Sunday.
Whilst the Judge decided that Morrisons was vicariously liable for its employee's criminal acts in relation to the data breach, it was a conclusion that clearly troubled him, recognising it effectively made the court an accessory to the employee's criminal aims. Accordingly, in an unusual step, the Judge granted Morrisons permission to appeal to the Court of Appeal without it having to make an application for permission. However, the Judge also stressed that the employees' claim was not for the damage done to Morrisons, but to their individual privacy rights: "the issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall".
For businesses already grappling with preparations for GDPR, the decision underlines the pressing need for stringent data processing and security policies, with the aim of being able to detect and prevent such breaches occurring. It is possible, however, that a different approach to liability may be adopted under GDPR; that provides that a data controller or processor would not be liable if "it is not in any way 'responsible' for the event giving rise to the damage" (in this case, the Judge found that Morrisons was not 'directly responsible' for the breach, but under the GDPR this would depend on how 'responsible' is interpreted).