The Court of Appeal (CA) has dismissed an appeal against a High Court (HC) decision finding an employer vicariously liable for the actions of its employee in processing personal data. The decision emphasises the critical need for employers to ensure, so far as possible, that adequate safeguards are in place around the data processing activities undertaken by their employees and appropriate procedures are in place to limit the potential damage when an individual goes 'rogue'.
Employers should also understand what 'cover' they have in place should a data breach hit and legal claims ensue. Whilst the case concerned the Data Protection Act 1998 (DPA), it is equally relevant under the new GDPR/Data Protection Act 2018 regime.
A formal warning, a grudge and a USB stick
The employee concerned had been issued with a formal disciplinary warning for unauthorised use of his employer's postal facilities for private purposes and as a result harboured a grudge. Subsequently, the employee was tasked with sending payroll data (including names, addresses, bank account, salary and national insurance details) to external auditors. He was provided with an encrypted USB stick containing the information, which he downloaded onto his work computer. He then loaded the information onto a USB stick provided by the auditors but also onto a personal USB stick which he used to download the data onto his home computer. Just before the employer's annual financial reports were announced, the employee released the personal data onto a file-sharing website. Links to that site were posted on other websites and additional copies of the data were sent to newspapers (who did not publish the information).
Group civil claim brought for compensation for distress suffered
The employee was convicted of fraud under the Computer Misuse Act 1990 and the DPA. However, although the Information Commissioner's Office found no action was required against the employer for DPA compliance, just over 5,500 of the 100,000 employees whose data had been disclosed proceeded to bring a group civil claim against the company. The employees sought compensation for distress suffered, arguing breach of the DPA, misuse of private information and breach of confidence.
Applying the vicarious liability test - were the employee's actions within the 'field of activities' entrusted to him and sufficiently connected to his position at the employer?
The High Court (HC) and CA both agreed that the employer was not directly liable – it was not at fault due to any actions it had taken (see our previous Insight on the HC judgment). However, there was nothing in statute prohibiting it from potentially being vicariously liable for the employee's actions. Consequently, applying the current test for vicarious liability laid down by the Supreme Court, the CA agreed with the HC that:
- the employee's actions fell within his 'field of activities' – he had deliberately been given the payroll data by his employer and sending the claimants' data to third parties was, in the court's view, within the field of activities assigned to him; and
- there was a sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice. It was correct to characterise his actions as ‘seamless and continuous’ and ‘an unbroken chain of events’.
Irrelevant that employee's motive was to harm his employer
The CA rejected the employer's argument that it would be wrong to impose vicarious liability where the employee's motive in committing the wrongdoing was to harm his employer, as to do so would render the court an accessory in furthering the employee's criminal aims. The motive of the employee was irrelevant to the issue of vicarious liability. There was no exception to this, even where the motive was to cause financial or reputational damage to the employer.
What should employers be doing now? Is insurance the answer?
The CA's decision is a concerning one for employers, demonstrating that even where an employer has put appropriate measures in place to comply with the relevant data protection legislation, it remains vulnerable to civil claims arising from the actions of one rogue employee wanting to cause it harm. This potential financial exposure is on top of the negative publicity and reputational consequences surrounding data leaks. Pending any legislative intervention limiting exposure in some way (which is not something that is currently anticipated) the CA has suggested that employers could 'insure' against this risk. Whilst on the face of it a seemingly simple solution, availability and cost may not render it so straightforward. Cyber insurance is becoming more widespread, but such policies are often heavily limited and would be unlikely to cover all legal and operational costs that arise from a major data breach and any ensuing litigation. This is particularly so given the potential for group actions such as in this case. We are still awaiting a hearing to decide what compensation should be awarded in this case, although unsurprisingly, the employer in this case has indicated it will be appealing the decision on liability to the Supreme Court.
In the meantime, employers should ensure they are taking all necessary steps to appropriately safeguard data within the organisation and to minimise the repercussions in the event of any data breach, including the potential distress which may be suffered by the individuals whose data is released or compromised. Whilst IT and compliance departments will inevitably have key roles to play in securing personal data and the technical and organisational measures to be taken, HR must also make sure that employees are fully aware of their roles and responsibilities, including the importance of handling personal data correctly, what behaviour is considered unacceptable and the consequences they do not meet the employer's expectations. HR also have a role to play in ensuring that employees are able to identify a data breach and trigger the relevant internal procedures.
We are holding two workshops in Bristol and London at which we will be addressing the tricky issues the GDPR raises for employers, looking at actions and solutions for businesses to take forward in achieving compliance. Please contact us if you would like to attend one of these workshops, or would like to discuss how this may affect you.