Just as cyber security experts will tell you that one of the biggest threats to IT security is human error by employees, the same is clearly true of the risk of data breaches. Not only are employees likely to be responsible for processing the personal data held by a business, and must therefore ensure they treat it in accordance with GDPR principles to avoid placing their employer (the data controller) at risk, but they are also data subjects in their own right. As many an employer knows to its cost, a disgruntled employee is a dangerous thing, not just in terms of employment tribunal claims but also in terms of their ability to make a data subject access request, requiring the employer to spend significant time and resource locating all of the relevant information. Unlike client or customer data which is often neatly contained in silos within a business, employee data is often held in a less structured manner requiring extensive investigation to locate it all.
Now it seems that the risk to employers in relation to employees dealing with data goes one step further. According to a recent case against WM Morrison Supermarkets an employer is liable for a data breach occasioned by an employee, even if that employee acts criminally and is actively seeking to cause damage to his employer by his actions. In the case in point, the data breach in question was deliberate, malicious and extensive. In January 2014 an employee (Andrew Skelton) employed by Morrissons as an IT auditor copied the personal data of nearly 100,000 Morrissons staff onto a data stick. In March 2014 he posted the information (including names, dates of birth, addresses and bank details) on a file sharing website and informed local newspapers about the breach. Mr Skelton tried to conceal his identity but was identified, convicted and imprisoned. It transpired that he held a grudge against Morrisons following a disciplinary procedure against him in 2013, and this it seems was pay back!
One of the arguments posed by Morrisons was that as the wrongful acts of Mr Skelton did not occur “in course of employment” and consequently it could not be liable for them. Vicarious liability has been the subject of considerable case law and the question of whether acts occurred in the course of employment is an often considered theme. In this instance the Court found that Morrisons had entrusted Mr Skelton with the relevant confidential data as part of his job, taking the risk of placing their trust in him. Even so, Morrisons argued that the acts in question occurred on a Sunday, from Mr Skelton’s home and using a personal USB stick. As such surely they could not be liable as he was not acting in the course of his employment – essentially because he was not at work. However, the court suggested that considering such matters was not the real issue to be determined – the real issue being whether there was an “unbroken chain” between the nature of Mr Skelton’s work and the disclosure of the personal data.
It may seem somewhat unfair, peverse even, that an employer (who it could be argued was as much a victim of the employee’s actions as the data subjects who had their information leaked) can be liable to pay extensive compensation arising from a data breach caused by an employee whose motive was to cause damage. After all, damaging your employer is not normally something one should be doing “in the course of employment”. However, it is established law that an employer is liable for the deliberate wrongdoing of its employees, and also, following the assault case of Mohamud v WV Morrison Supermarkets PLC, that the motive of those employees is not relevant. The Court of Appeal suggested that the remedy available to employers in such circumstances is insurance – ie making sure that your insurance policies protected against losses caused by dishonest or malicious employees.
Although as any cyber security expert would tell you, and indeed the same must be said of data experts, prevention is always better than cure. Whilst not every potential risk can be considered and protected against, some definitely can – and in order for any insurer to pay out under the terms of any policy, it will almost certainly want to ensure that every possible precaution was taken. So robust policies and compliance protocols are essential, as is appropriate employee vetting and systems monitoring. That, and good insurance!