Are employers vicariously liable for data breaches of their employees?



Last week the UK Supreme Court (UKSC) handed down a long-awaited judgment concerning a data breach in the UK.  

The key takeout from this judgment is that in principle an employer can be vicariously liable for a data breach caused by one of their employees if there is a close connection between the employee’s conduct and their employment. 

In this case, the employer was not vicariously liable because the employee was motivated by a grudge against the employer. 

For some perspective on the extent of this threat - rogue employees / insider threats made up 12% of malicious or criminal attacks reported to the Australian Privacy Commissioner in the last six months of 2019. However, this likely under-represents the prevalence of the problem. Moreover, as this case shows, insiders have a unique ability to damage a business because of their access sensitive data.  

While not binding on Australian Courts, this decision suggests that a business will not be liable for negligence to third parties for malicious conduct of their employees designed to hurt the business. However, liability may still arise form breaching contractual obligations to protect data or in the form of fines imposed by the Privacy Commissioner.  

This case is also a good example of the various forms of liability that can flow from a data breach – here there was potential liability under UK legislation as well as under common law for breach of confidence and misuse of private information.  

Industry: Supermarket chain  

Players in Litigation

  • Morrison (M), (fourth largest chain of supermarkets in the UK) 
  • Ten lead claimants (on behalf of 9,263 employees of the appellant) 

Facts

  • Skelton (S) was a senior internal auditor of M. S was given a verbal warning for minor misconduct.   
  • Shortly after this warning, M’s accounts were subject to a yearly external audit, where S was asked to collate and transmit M’s payroll data to KPMG. This data consisted of names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank account numbers and salaries of all their workforce.  
  • S copied the payroll data from his work computer to a personal USB stick. A few weeks later, he then uploaded most of this data onto a publicly accessible website. He also sent CDs containing these files anonymously to three newspapers.  
  • The claimants brought proceedings against M arguing they were vicariously liable for S’s conduct because it was a breach of the UK’s Data Protection Act (DPA), misuse of private information and breach of confidence.  

Issues  

  • Whether the DPA excludes vicarious liability for: 
    • Statutory torts committed by an employee data controller; or
    • Misuse of private information and breach of confidence.
  • Whether M is vicariously liable for S’s (wrongful) conduct. 

Key findings: 

Whether vicarious liability applies to data breaches 

The Court found that vicarious liability would apply unless legislation expressly or impliedly indicated otherwise. In this case the legislation did not exclude vicarious liability.  

Whether M was vicariously liable for S 

The Court found that it was “clear that [S] was not engaged in furthering his employer’s business” when publicly disclosing the data.  

As a result, they considered that his wrongful disclosure could not be regarded as done by him acting in his ordinary course of employment because S was pursuing a personal vendetta against Morrisons. 

Additionally, the Court found that: 

  • the fact that M gave S the opportunity to wrongfully disclose data was not sufficient to impose vicarious liability, and 
  • S’s personal motives were highly relevant as he was not acting on M’s business. 

Key lessons 

  1. Insider threats are a significant source of data breaches. The risk from this kind of threat can be reduced by putting in place a range of technical and administrative measures including limiting account access, restricting the use of portable storage devices such as USBs and/or monitoring and logging network activity. 
  2. In principle, Employers can be vicariously liable under statute and common law for data breaches caused by their employees, where there is a close connection between the conduct causing the breach.  
  3. A ‘personal vendetta’ or an ‘independent venture’ is distinguishable from the ordinary course of employment and therefore in most circumstances will not satisfy the close connection test.