Are Businesses Legally Responsible for Data Breaches by “Rogue” Employees?

Data breaches are costly enough to businesses, even without having to add in regulatory fines and civil litigation awards of damages. Businesses that implement sound data protection programmes can still be vulnerable to breaches caused by employees who deliberately break the law. Clients affected by a breach may attempt to hold the business vicariously liable for the actions of these employees. Fortunately, there are steps that businesses may take that will reduce their civil liability and the chance of an adverse finding by a data protection regulator.

The Supreme Court of the United Kingdom recently held in the case of WM Morrisons Supermarkets plc v. Various Claimants [2020] UKSC 12 that the retail grocery chain Morrisons was not vicariously liable for the actions of a disgruntled former employee who deliberately disclosed the personal data of his colleagues. While the employee originally had legitimate access to the data as part of his employment responsibilities, the Supreme Court found it determinative that the disclosure was not part of his field of activities or an act he was authorised to do; he disclosed the data for his own vengeful purposes and the disclosure was not so closely connected with his legitimate task that it could be properly regarded as being done while acting in the course of his employment. This does not mean courts will never find businesses to be liable for the actions of their employees, as decisions will reflect the circumstances of each case. However, there are certain key factors that the courts and data protection regulators will consider.

Businesses that wish to avoid vicarious liability should have an effective data protection management programme in place. This includes an inventory of all personal data and written policies and procedures relating to the collection, use and disclosure of personal data. They should have reasonable physical and technical security measures in place to ensure the access by employees is strictly on a ‘need to know’ basis and, if feasible, to have an audit trail of any access to relevant information. There should be protocols in place for identifying and responding to breaches. Nevertheless, none of these measures will have any value unless all employees have a sufficient level of awareness. This means providing adequate and regular training for all staff. Finally, it is essential that the executive of the organisation clearly demonstrate to all staff its support for these measures and the importance of implementing them.

The key question in examining the causes of a breach is whether the business had done everything reasonable to prevent it from happening. Determined criminals and employees can circumvent even the strongest security measures, and even the best employees can make mistakes. A good data protection management programme will reduce the risk of that happening and help to mitigate any impact. It will also prevent employees from blaming the business for the fact that they were purportedly unaware that their actions were contrary to the law. The courts will take into consideration the efforts that businesses have made to ensure that their employees comply with the law. This would include measures to prevent employees taking personal data home unless necessary or to prevent ex-employees from using personal data they obtained while working.

Businesses should be able to limit liability in cases where employees abuse personal data for their own financial gain or for pursuing personal vendettas. Nevertheless, businesses might be liable in cases where their employees contravene the law for the sole purposes of furthering the financial interests of the company. That is why it is essential for businesses to be able to demonstrate with documented evidence that they have made all employees aware of what constitutes acceptable data processing and what does not. A strong data protection management programme will assist businesses to achieve that objective.