Data Controllers Can be Responsible for Data Breaches by Rogue Employees
Martin Sloan, a partner at Brodies looks at the outcome of the recent ‘rogue employee’ case against supermarket chain Morrisons and the implications for data controllers in companies which suffer such an attack.
The High Court has today issued its eagerly awaited judgment in group litigation arising out of a data breach affecting 100,000 employees of the Morrisons supermarket chain. The judgment, for which Morrisons has been granted leave to appeal, has major implications for data controllers.
In 2013 an internal auditor at Morrisons deliberately copied Morrisons’ payroll file and then posted an edited version online.
The individual was subsequently identified and convicted. The individual had legitimate access to the file in the course of his duties, and his lengthy prison sentence (8 years) reflected the damage that his actions had caused Morrisons. The individual took the actions to “punish” Morrisons following a previous disciplinary process.
Following his conviction, around 5,000 affected employees brought an action against Morrisons for distress. The claim, the first such group litigation following a data breach, was brought on the basis that Morrisons was either directly liable or had vicarious liability for the acts of its employee.
The court’s decision
Whilst the court found that Morrisons was not directly liable for the individual’s acts and could not have anticipated what happened or taken steps to prevent disclosure, the court did find that Morrisons was never the less vicariously liable for the actions of its employee. The decision follows a previous Supreme Court decision that extended the concept of an individual “acting in the court of employment.”
You can read the court’s judgment here.
What does the judgment mean for employers?
The judgment is difficult for employers.
On the one hand, the court said that the data breach did not arise as a result of a breach by Morrisons of its obligations under the Data Protection Act (including its obligations in relation to information security), and that it could not have done anything to prevent disclosure. The judgment contains extensive analysis of a number of things that the claimants argue Morrisons could have done and concludes that it had not fallen short of its duties.
Had the judgment stopped there then it would have provided employers with some comfort around the steps they are expected to take to guard against the acts of rogue employees and insider threats.
However, the court went on to hold Morrisons vicariously responsible to its employees for the consequences of an act deliberately committed against Morrisons by a rogue employee with the specific intent of causing Morrisons harm. Morrisons was the innocent party and, from the court’s judgment it seems that there could be little that it could have done to prevent the breach from occurring. Yet, the court held that it is liable to those individuals that suffered damage and distress.
With the increasing threat of insider attacks and rogue acts by disaffected employees, today’s judgment will cause concern for many organisations. It emphasises the importance of monitoring and protecting an organisation from insider threats and rogue employees – whether through monitoring of system use, access controls or otherwise.
Of course, any such steps also need to be balanced against the rules that apply to employee monitoring.
The decision also raises interesting issues for data processing contracts and the allocation of liability between controllers and processors for the acts of the processor’s staff.
The original article can be found here.