The Court of Appeal has ruled that a major UK employer is responsible for a breach in Data protection Rules, even though it accepted that the Company had done all it could to prevent the breach, and the breach was the result of a malicious employees’ deliberate aim of damaging the Company.
In 2015, Andrew Skelton (a former Morrisons employee) was sentenced to eight years in jail for stealing and unlawfully sharing the names, addresses, bank account, salary and NI details of nearly 100,000 former colleagues with news outlets and data sharing websites. At the time, Skelton was a senior IT auditor, harbouring a grudge against his employer. Skelton had been given an encrypted USB stick containing the personal data by HR in order for him to pass this on to KPMG, the company’s auditors. Unknown to Morrisons or KPMG, Skelton made a further copy on a personal USB stick.
Using a personal computer at home, Skelton then downloaded the data onto a CD and sent it to three newspapers, pretending to be a “concerned” individual who had discovered the payroll data was available on the web. The letter with the CD gave a link to a file-sharing site where the payroll details were also posted. None of the newspapers published the data, but one of them alerted Morrisons.
Skelton was tried and imprisoned for offences under the Computer Misuse Act 1990 and section 55 of the (old) Data Protection Act 1998 (“DPA”) and the incident was investigated by the Information Commissioner who decided no action was required with respect to compliance with the DPA.
However around 5,500 employees brought a claim against Morrisons, despite not having suffered any financial loss. The claim against Morrisons was on the basis that Morrisons was vicariously liable for:
- Skelton’s criminal actions in disclosing personal information relating to co-employees; and
- the subsequent distress caused to those employees
whether in breach of the DPA, breach of confidence or misuse of private information.
The High Court held Morrisons were liable vicariously for Skelton’s actions exposing them to civil damages claims from individual employees (which could run into £1,000s depending on the nature of an individual’s personal data). Morrisons appealed.
The Court of Appeal has now rejected Morrisons’ appeal, and in doing so, they made a finding that an organisation can be liable for data breaches, even if it has taken appropriate measures to comply with the data protection legislation and even if the organisation itself is the intended victim of the breach.
Also, underlined by this case is the principle that organisations can be held vicariously liable to third parties (e.g. employees, contractors etc.) in damages for the actions taken by rogue employees.
Remember this case related to data breaches which occurred under the old DPA. The current post-GDPR legislation expressly provides for individuals to claim compensation, thus increasing the risk for organisations.
In the light of recent data breaches hitting the headlines (British Airways, Facebook, Dixons Carphone, the Conservative Party Conference), this case might well lead to an increase in the UK in civil claims for data breach claims.
Although not necessarily a defence to employee claims, employers should be looking to ensure their Data Protection policies are as robust as can be, and that the organisation can show evidence of the process it has undertaken to risk asses data and take steps to minimise that risk.
The case is also notable in the light of the recent call by Apple CEO (Tim Cook) in a speech in Brussels for an end to the “weaponization of deeply personal data” and praising the European General Data Protection Regulation.
For details of the speech see https://www.bbc.co.uk/news/technology-45963935.