The issue in question is whether an employer is vicariously liable in damages to employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee?
Yes, said the Court of Appeal in WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 which held that there was sufficient connection between the position of the employee and his wrongful conduct to justify holding Morrisons liable.
There are over five thousand individual claimants, meaning damages are very likely to be extremely substantial.
This deliberate data breach was carried out by a rogue employee using his home computer in his own time and will be a cause of great concern to data controllers and data processors. At first instance, the judge held that Morrisons had implemented a range of mechanisms to prevent data misuse and complied with its own obligations under the DPA - yet it was still held variously liable for the employee’s torts of misuse of private information and breach of confidence.
So what are the implications?
This case indicates that even the most conscientious data controllers and processors may be exposed to enormous financial liabilities through the actions of their employees. The situation is unlikely to be any better for employers under the GDPR and Data Protection Act 2018 – so even if a firm avoids a hefty fine from the ICO for breach, that won’t mean they escape liability.
Employers will wish to revisit their recruitment due diligence procedures, their data protection policies and – crucially - their insurance provision to ensure that they are adequately protected.
To speak to our information law and employment law teams call 0207 410 2000.
Mark Thomas and John Goss are members of the information law and employment law teams at 5 Essex Court. They advise public bodies and a wide range of commercial organisations, including national retailers.