The courts have held an employer liable for a rogue data breach by an employee – although the company broke no rules. James Bessey explains why

james bessey bw 2018

Most people and therefore most employers probably think that they are liable only for the direct authorised acts of their employees. Put simply, this means acts and omissions when they are doing their work for you – the work you have asked them to do. 

So in that context the long-awaited judgment from the Court of Appeal that Morrisons is liable for a malicious data leak by a disgruntled employee is probably a bit of a wake-up call. It is one thing carrying the can for what an employee was supposed to be doing, but quite another when they are intentionally doing something they are not supposed to do. 

The reality of course is most employer liability will stem from accidents or errors or omissions during the scope of lawful activities. So it is worth noting why Morrisons came so unstuck when the act was unlawful and unauthorised.  

“It is one thing carrying the can for what an employee was supposed to be doing, but quite another when they are intentionally doing something they are not supposed to”

What went so terribly wrong? A senior IT operative had access to the Morrison payroll database. Nothing unusual about that. It contained all the usual but confidential and private information on its employees, such as names, addresses, dates of birth, bank account details and salary information. Again, nothing unusual – but equally not the sort of information that employees would want distributed. 

Then the senior employee intentionally leaked this database information on the dark web. He apparently harboured a grudge over allegations of dealing in legal highs at work. He was arrested and convicted for breaches of the Computer Misuse Act 1980 and the Data Protection Act 1998. He was given eight years’ imprisonment, which is some indication in itself how the courts viewed this conduct.

At this point, his activities became a real problem for Morrisons, which faced claims by employees. Some 100,000 employees are believed to have been affected. The court determined that the best way forward was to decide whether Morrisons was liable first and then determine compensation second. 

The liability issue itself split into two main categories. One could be described as relating to data protection rules/regulation and the second to what is known as vicarious liability – the liability of an employer for the acts of employees. 

Despite the demanding and strict nature of the law around data, principally the Data Protection Act 1998, Morrisons avoided liability on this first issue. Technically Morrisons was not the “controller” of the information at the time of the breach; that was the individual. It had done all it could in terms of processes and systems, even to the extent that the Information Commissioner’s Office – the supervisory body – did not bring an action against Morrisons, which it seemed to view as a victim of a crime itself. 

However, on the second issue – vicarious liability – the first-instance court did find Morrisons liable. The problem for the court in doing that was that its doing so was exactly what the perpetrator wanted: the court was finding against and therefore harming Morrisons, which is what the disgruntled employee wanted to achieve. So the court accepted that given that unpalatable result, the decision should be reviewed by the Court of Appeal. 

The Court of Appeal, however, also agreed Morrisons was vicariously liable. It rejected arguments that the perpetrator was not actually doing his job when he did this act. And quoting a previous decision, the court observed: “The risk of an employee misusing his position is one of life’s unavoidable facts.” This may well send a cold shiver down many an employer’s spine.

Apparently Morrisons already faces claims from some 5,000 of the 100,000 affected employees whose data was revealed. Unless insurance kicks in, the implication is that employers could be faced with a crippling bill for such acts by rogue employees. And Morrisons was found liable despite the fact that the company was recognised as having done all it could in terms of appropriate measures. It was not a bad handler of data. The outcome if you are a bad handler can only be so much worse. 

While the court recognised the risk of potentially ruinous consequences for those involved, the court thought insurance by employers was the answer. That of course is likely to involve the costs of not only premiums but checks, balances, systems and training to comply with the demands of those insurers. 

Martin Lewis, the money expert, commented recently that in his view the future of high-paid jobs is in the analysis of data. That may be so, but controlling it and protecting it is a vital first step. 

James Bessey is a partner in the construction team of Blake Morgan