Businesses have been urged to tighten their data protection technologies, policies and procedures after a UK Supreme Court ruling yesterday left the door open for employers to be sued by their staff for insider breaches.
The case involved supermarket chain Morrisons, which suffered such a breach in 2014 when former internal auditor Andrew Skelton published online the details of nearly 100,000 employees — included NI numbers, birth dates and bank account data.
Some 5000 of these employees then brought civil proceedings against the firm, arguing it was liable for the misuse of their data. Both the High Court and the Court of Appeal ruled that, although the supermarket chain was not primarily to blame, as its security safeguards were sound, it was “vicariously liable” for Skelton’s actions.
“In simple terms Morrisons had to underwrite Skelton’s actions as an employee,” explained legal firm Cordery Compliance. “This was in part because they had selected Skelton for the trusted position of being the middle-man in transferring the [HR data] to KPMG.”
However, the Supreme Court has now ruled in Morrisons’ favor: in effect saying that in this case the employer cannot be held vicariously liable as the employee (Skelton) was pursuing a vendetta.
This is a victory for the supermarket, and several legal experts have argued that employers will also be breathing a sigh of relief that they won’t be held liable in similar circumstances.
Yet firms aren’t completely off the hook, according to Claire Greaney, senior associate at Charles Russell Speechlys.
“It wasn’t all good news for businesses today. The court did not say there could never be vicarious liability for the conduct of employees in the world of data protection. If the door to vicarious liability was left ajar by the Court of Appeal, the Supreme Court has confirmed that it is staying open,” she argued.
“In the GDPR era of mandatory notification businesses will need to look carefully at the measures they take to mitigate these risks, including taking out data insurance to protect themselves.”
Cordery Compliance speculated that the case may also have gone differently had the subject of primary liability been considered.
“Under GDPR there is a very strong emphasis on organizations having ‘technical and organizational measures’ (TOMs) in place to ensure GDPR compliance, including with regard to keeping data secure,” it argued.
“Whilst the law was similar pre-GDPR it could be argued that employers should be more conscious of TOMs like access rights and data loss prevention now that GDPR is in force. With this in mind, had the Morrisons case been decided under GDPR might there have been a different outcome as regards primary liability and the personal data that left Morrisons’ systems?”
It’s also true that companies can still be held liable for the actions of their staff in a data breach context, if those employees are not acting outside the course of their employment: i.e. accidental leaks and negligence.