Breaching data protection law carries serious consequences, but there are steps companies can take to offset their risk, as Victoria McMeel and Edward Smith explain
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
This article was first published in the October 2019 UK edition of Accounting and Business magazine.
Nearly 18 months after the General Data Protection Regulation (GDPR) came into effect, the Information Commissioner’s Office (ICO) is to issue its first significant fines under the legislation. One of these may be as high as £183m.
Although the UK regulator for data protection, the ICO, is responsible for overall GDPR compliance, it is the law courts that will hear civil cases about personal data breaches. Their recent ruling in the case of the Morrisons payroll data breach suggests a new trajectory for incidents involving internal breaches of personal data and provides an insight into the types of claim that may become commonplace.
Understanding the implications of the Morrisons case as a landmark ruling is vital for employers of all sizes. Although the claim was made under the Data Protection Act 1998, it is evidence of the seriousness with which data breaches are met. It is also the first class-action suit covering a data breach.
The case centres on a rogue Morrisons employee, Andrew Skelton, who uploaded the personal data of nearly 100,000 Morrisons employees to a file-sharing website in early 2014. Skelton worked as a senior internal auditor and had access to large volumes of personal data – specifically payroll data – which included home addresses and bank account details. Not only did he release the data in the public domain, he did so under the name of another employee.
Separate criminal proceedings found Skelton was motivated by a grudge he held against Morrisons stemming from a historical and unrelated disciplinary incident. He was jailed for eight years for fraud and data misuse. However, 5,518 employees subsequently brought litigation against the supermarket chain directly, claiming that as Skelton’s employer it had both primary and vicarious liability for his actions.
The High Court found that Skelton’s employment was directly linked to the personal information he disclosed. Morrisons had deliberately given him the job of processing that information, did not appropriately manage the fallout of his disciplinary sanction and did not effectively assess the risk of letting a disgruntled employee handle highly sensitive information.
The court ruled a sufficient connection existed between Skelton’s actions and the course of his employment, making Morrisons vicariously liable for his actions. The fact that Skelton disclosed the data from his home computer and outside his working hours was not deemed a significant enough factor to break the connection between his employer and the data breach, nor was his motive to cause harm to Morrisons found relevant to the case.
The Court of Appeal upheld the original High Court decision of vicarious liability in October 2018. However, as of April 2019, Morrisons has been given permission to take its appeal to the UK Supreme Court.
What is certain is that the case makes for uneasy reading for employers, who may now be liable for the misuse of personal data by a rogue employee even if they are otherwise compliant with GDPR, and even if the wrongdoing was intended to damage them.
The Court of Appeal has suggested that ‘the solution is to ensure against such catastrophes and losses caused by dishonest or malicious employees’. In principle, businesses will be able to insure against the risk of an unauthorised data breach either through a public liability policy or a bespoke cyber-insurance policy.
However, such policies may not fully cover a company’s exposure. Malicious conduct such as Skelton’s may fall outside the scope of a standard cyber-insurance policy. Insurers may also introduce limits and exclusions following the decision in the Morrisons case.
First and foremost, then, employers should examine their internal procedures to protect against financial liability for data leaks. In addition to exploring insurance options, they can take the steps outlined in the panel above. Whatever the outcome of the Morrisons case, it is clear that falling foul of the GDPR is both easier and has far more painful consequences than many companies may have imagined.
Victoria McMeel is a director and solicitor and Edward Smith is an associate at Vistra Corporate Law.
CPD technical article
"Employers may now be liable for the misuse of personal data by a rogue employee even if they are otherwise GDPR-compliant"