By Jill Evans, Law Content Analyst
Consider this scenario. One of your employees maliciously posts the payroll data of 100,000 staff – names and addresses, bank account details and salaries – to a file sharing website. He also sends the data to three newspapers for good measure. Surely an employer’s worst nightmare, but this is what happened in the case Morrisons v Various Claimants.
The employee, an internal IT auditor with a grudge against the company over a previous disciplinary incident, got an eight-year prison sentence. Over 5,500 out of those employees affected claimed compensation for this massive personal data breach from their employer under the Data Protection Act 1998 (the incident predated the newest version of the Act). The High Court decided that while the supermarket chain had not breached its duties under the Act, it was ‘vicariously liable’ for the criminal activities of its rogue employee, and this month that decision was upheld by the Court of Appeal. The organisation has said it will appeal the judgment to the Supreme Court.
Employer liability of this kind has to occur ‘in the course of employment’. The auditor was given the data in connection with his work, on an encrypted USB stick. He then had to download the data on to his work computer, before uploading it to another USB stick in order to give it to the company’s external auditing firm. He subsequently copied it on to a personal USB stick before copying it to his own computer. He uploaded the data to the file sharing site from home, outside working hours.
But the unbroken chain of events leading up his criminal act meant there was sufficient connection between his wrongful actions and the activities entrusted to him by his employer to establish liability. This test was used in another vicarious liability case involving the retailer, Mohamud v Morrison Supermarkets, in which a garage kiosk employee assaulted a customer.
In another October judgment, Bellman v Northampton Recruitment, the Court of Appeal found an employer liable for its managing director’s drunken assault on another employee. The attack, which resulted in serious long-term injury, took place during a heavy late night drinking session at a hotel where staff were staying overnight, at the company’s expense, to attend its after work Christmas party.
Initially the High Court found in the organisation’s favour. The assault took place a long time after the party, at a different location, and the employer argued that it was effectively an independent and voluntary event, so could not be connected to employment. But the Court of Appeal decided the director, the only real decision-maker in the company, was purporting to exercise his authority over a subordinate on a work-related matter at a company event. There was a sufficient connection between the duties entrusted to the director and his wrongful conduct to make the employer liable for his actions.
The Court of Appeal in the data protection case suggested organisations should insure against losses arising from data breaches caused by the behaviour of rogue employees, and the GDPR means organisations’ routine procedures now have to be designed to prevent the risk of any data falling into the wrong hands. Taking out more insurance would not be an appropriate response to a manager’s damaging misuse of executive control but perhaps here, too, cultural change and safer working practices are the best way to prevent rogue behaviour.