Vicarious liability renders an employer liable for the legal wrongdoing of an employee, even in circumstances where the employer is not at fault, provided that the wrong has been committed in the “course of employment”. Leanne Francis, a lawyer in the employment team at Pinsent Masons, takes a look at the issue.
We are all familiar with this concept in the context of discrimination; it is well established that an employer can be vicariously liable for an act of sexual harassment at the Christmas party for example. However, following the recent High Court decision in the case of Various Claimants vs. Morrisons Supermarket, we now know that employers can be vicariously liable for data protection breaches as well.
In January 2014, an employee of Morrisons Supermarket, unhappy about receiving a disciplinary sanction, maliciously posted the personal details of almost 100,000 employees on a website. The data included addresses, dates of birth, phone numbers, bank account details, national insurance numbers and salary details.
On learning of the data breach Morrisons acted swiftly; within a few hours they had taken the website down and alerted the police. It was clear that the data had been extracted from Morrisons’ PeopleSoft database by one of the few users who legitimately had access to all of the data. The employee, a senior IT auditor, was arrested and sentenced to 8 years in prison.
Around 5,500 employees, affected by the breach, lodged a claim against Morrisons claiming, amongst other things, compensation for breach of a statutory duty under the Data Protection Act. The High Court was then asked to consider the question of whether an employer is liable for the criminal actions of a rogue employee.
While the High Court decided that Morrisons was not primarily liable for the data breach, and that all reasonable care had been taken to satisfy the data protection principles, it found that it was vicariously liable for the breach. Even in circumstances where the breach was malicious, Morrisons was found to have taken reasonable steps to protect its data and the data had been disclosed using a personal laptop outside working hours.
What we can learn from the case
The case demonstrates how difficult it is to avoid vicarious liability. This is a matter of public policy; there is a social incentive to ensure victims are able to claim compensation from a defendant who is in a position to pay. To this end, the law has interpreted vicarious liability broadly.
This is nevertheless bad timing for employers given the General Data Protection Regulation which is due to come into force on 25 May 2018. In addition to claims for individual compensation, the GDPR also allows for a huge increase in the administrative regulatory fines which the Information Commissioner’s Office (the regulatory body in the UK responsible for regulating and enforcing data protection law and policy) can impose upon entities who fall foul of the requirements of the GDPR.
The maximum tier fine is up to 20,000,000 Euros or 4% of the worldwide annual turnover of the preceding financial year whichever is higher. The GDPR also includes a mandatory requirement to notify the ICO of a data protection breach within 72 hours.
So if an employer cannot rely on avoiding vicarious liability, what can it do to protect itself?
The first priority should be taking steps to prevent a data protection breach in the first place. Employees are often the “number one” cause of a security incident and according to the ICO, the number of reported breaches is increasing each quarter.
This means a re-focus on information security. Simple but effective measures such as rules and policies about ensuring a clear desk, the safe use of emails, the security of laptops and smart devices (especially when used remotely), robust passwords and encryption should now be part and parcel of every day life.
Communication is also key; do your staff know where to find your information security policy and do they understand that data protection is everyone’s responsibility? Are they aware of common security risks, such as phish biting, and the potential consequences? Are they aware that a grossly negligent or malicious data breach could amount to gross misconduct?
Are they careful about how and why they use data, especially via email? Do you incentivise your staff to keep data secure and to comply with your policies; building compliance criteria into your bonus schemes, performance reviews and promotions? How do you monitor employees on garden leave or notice, especially in circumstances which are not amicable, in order to prevent a malicious data breach?
Complying with principles
Employers should also ensure that they are themselves complying with the data protection principles; data should be obtained for specified, explicit and limited purposes, it should be adequate, relevant and limited to what is necessary and not kept longer than is necessary. There should also be appropriate security measures in place and access to data should be limited and on a need to know basis.
Given the tight time frame for reporting a breach to the ICO, staff should know how to identify and report a data breach and employers should have an action plan in place to mitigate any damage as quickly as possible.
Some organisations will also be obliged to appoint a Data Protection Officer. DPOs are essentially responsible for data protection; in a nutshell they act as a point of contact for staff and the ICO and they report to the Board at the highest level about any areas of non compliance. Even if organisations are not obliged to appoint a DPO, it is best practice to appoint a sufficiently qualified go-to person with the time and resources to deal with the challenges of data protection.
Of course it is impossible to completely eradicate the risk of a data protection breach, but it is important that employers exercise proportionate controls in order to limit the inevitable risk. Not only will this help to prevent a breach from happening, it will help to avoid or limit the amount of any compensation awarded to individuals affected by the breach as well as any fine the ICO may deem fit to impose.