UK: Who is responsible for rogue employee’s data leak...

Who is responsible for rogue employee’s data leak and what can employers do to prevent it from happening?
 
Keeping employees’ (and other stakeholders’) personal data safe is becoming increasingly more difficult with the advancement of technology, mobile devices, USB sticks and remote working arrangements to mention but a few. 2018 has seen protection of personal data become a top priority for organisations following the introduction of the General Data Protection Regulation (GDPR). Although many employers will have Data Protection policies in place – these can of course not in themselves prevent disclosure of data by a rogue employee. Is there really anything employers can do to safeguard against deliberate data leaks by a disgruntled employee?

On 22 October 2018, the Court of Appeal gave judgment in the case of WM Morrison Supermarkets PLC –v- Various Claimants [2018] EWCA Civ 2339 and upheld the High Court‘s ruling that the supermarket (Morrisons) was vicariously liable for a deliberate data breach by one of its employees.

At the time of the breach, the employee (Mr Skelton) was a senior IT internal auditor employed by Morrisons. In 2013 Mr Skelton became disgruntled when he was given a formal verbal warning for having used Morrisons’ postal facilities for private purposes. Later that same year Morrisons’ external auditors, KPMG, requested various data from Morrisons – including a copy of the payroll data – in order for them to carry out an annual audit. Mr Skelton was tasked with providing the payroll data to KPMG by copying the data onto an encrypted USB stick. During this process, Mr Skelton secretly copied the data onto his personal USB stick as well and subsequently posted the payroll data of almost 100,000 Morrisons employees onto a file sharing website. The data, which was also placed elsewhere on the internet, contained employees’ names, addresses, gender, dates of birth, home/mobile phone numbers, national insurance numbers, bank sort codes, bank account numbers and the salary which each employee was being paid. Mr Skelton was arrested and sentenced to 8 years imprisonment.

Following the data leak, some 5,500 Morrisons employees brought claims against Morrisons for damages in respect of the data leak. Both the High Court and the Court of Appeal held that Morrisons had adequate and appropriate controls in place in those areas which were relevant to the claims. Accordingly, the Court of Appeal agreed with the High Court that Morrisons was not directly liable in respect of any of Mr Skelton’s data disclosures. However, the Court of Appeal also agreed that Morrisons was indirectly liable under the principles of vicarious liability because there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful actions – Morrisons had put Mr Skelton into the position of handling and disclosing the data to KPMG. For this reason, the Court of Appeal held it was right to conclude that Morrisons should be vicariously liable for Mr Skelton’s actions and pay damages to the employees.

We have seen many personal data breaches reported in the media in recent years and the Morrisons case will no doubt leave employers worried about the extent of their liability for any unauthorised actions by rogue employees.  Employers will also be worried about what they can actually do to minimise the risk of data leaks. Although the Morrisons case related to breaches under the old data protection legislation – the Data Protection Act 1998 – the judgment is highly relevant as the GDPR is even more onerous when it comes to protecting employees’ personal data.

So, is there anything employers can do to minimise the risk of liability? 

Unsurprisingly the first thing a court will look at is:

• Has the employer appropriate data protection policies in place?
• Has staff received sufficient training on handling personal data
• Have appropriate processes been put in place to minimise the risk of personal data being inadvertently disclosed or used in an unlawful manner and to ensure data is carefully deleted once it is no longer needed?

 

In the Morrisons case, both the High Court and the Court of Appeal held that Morrisons had put in place appropriate policies, processes and training in the areas which were relevant to the claims brought against it. Had this not been the case then it is highly likely that Morrisons would also have had primary liability for Mr Skelton’s actions. This case shows the importance of putting in place appropriate Data Protection policies and processes – not just because businesses risk a hefty fine from the ICO if they fail to do so – but because it can serve as part of an employer’s defence to claims that it has direct liability for a data breach by one of its employees.

Okay, so having put in place the relevant data protection policies, processes and training – is there anything employers can actually do to prevent unauthorised data disclosures?

There is probably very little employers can do to remove the risk as it is extremely difficult to prevent deliberate data disclosures by a disgruntled employee. However, there are some steps employers can take to minimise the risk of it happening, which include:

• Ensuring technical and organisational controls (such as password protection and monitoring for instance) are in place within the business to ensure personal data is not misused or stolen;
• Being alert to unusual activities such as an employee (perhaps following a poor performance review): attending the office at weekends/frequently working late when there is no apparent reason to do so; or emailing out large quantities of data to a his or her private email account.
• Listening to employees’ concerns about any weaknesses in the processes used and in general;
• Considering more rigorous controls when it comes to employees using own devices for work purposes; using external email addresses; and using USB sticks. Arguably, someone in a position with access to personal and sensitive data should not have access to the USB port on their PC;
• Ensuring the right person is entrusted with the data in the first place and limit the number of employee who have access to and handle the data. Entrusting someone with sensitive data is in itself a risk and employers should take great care when it comes to selecting the relevant employee(s);
• Carrying out background checks, monitoring and spot checks as appropriate;
• Treating staff well – many cases involve a disgruntled employee; and
• Ensuring a culture where employees feel they can raise concerns informally as well as formally through a grievance procedure. The key is for any concerns raised – whether informal or formal – to be handled fairly and professionally. It is worth investing in training for line managers to ensure employee concerns are handled in an appropriate manner – line managers often have no or very little HR training.

 

Apart from the above – all employers can really do is to reiterate to employees the need to behave in accordance with the data protection rules. Ensure employees are enlightened when it comes to the very serious consequences an unauthorised data leak can have on their professional careers let alone their private lives. Had Mr Skelton realised that he would be sentenced to 8 years’ imprisonment perhaps he would have thought twice about leaking the data.

 

For further information, please contact:

Sara Kennedy,  Legal Director

ebl miller rosenfalck, London

e: sk@millerrosenfalck.com 

t: +44 20 7553 9937

 

The material contained in this article is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.

© Miller Rosenfalck LLP, October 2018