In today’s world, data breaches are a regular occurrence. The size and scale varies, and they have different causes, but those matters are irrelevant if you are a data subject affected – you just want the situation resolved and compensation for any losses you suffer. Who should be responsible for those breaches? Where a company has not taken sufficient steps to safeguard personal data, the answer is obvious. But what about where a rogue employee leaks personal data with the deliberate intention of harming his employer? The English High Court has recently decided that even in that instance, the employer is liable to data subjects. Although there is no specific case on this point, we believe that a similar outcome would be reached in an action under US law.
In early 2014, it came to light that a file containing personal data relating to nearly 100,000 employees of the British supermarket chain Morrisons had been published on a file-sharing site. After some investigations, an individual called Andrew Skelton was arrested and subsequently convicted of breaching the Computer Misuse Act 1990 and the Data Protection Act 1998 by uploading the file of personal data to the file-sharing site. Skelton had been employed by Morrisons as a senior IT internal auditor, and had come into possession of the personal data during the course of his employment.
During Skelton’s criminal trial, it emerged that Skelton had been disciplined by Morrisons for an incident at work some months before he leaked the data. Skelton had felt that the disciplinary action had been excessive, and the Judge in Skelton’s trial found that leaking the personal data of nearly 100,000 of his colleagues was his way of getting his revenge on Morrisons.
Later, more than 5,500 employees brought a civil claim against Morrisons for damages arising out of the data breach. Morrisons denied liability on the grounds that it had not breached the Data Protection Act 1998. Morrisons also denied that it could have liability for the actions of Skelton, in circumstances where his actions in leaking the personal data had been deliberate and were found by the Judge at the criminal trial to have been taken with the express purpose of damaging Morrisons. Morrisons argued that it would therefore be contrary to public policy to find Morrisons vicariously liable for the criminal acts of which it was itself the victim.
The Judge in the civil action, Mr. Justice Langstaff, found that Morrisons had not in fact breached the Data Protection Act 1998 (save in one respect, which he found had neither caused nor contributed to the data leak). Having found no direct liability on the part of Morrisons, the Judge then considered whether it could be vicariously liable for Skelton’s actions in leaking the personal data.
Until relatively recently, whether an act was done for the benefit of the employer – whether or not authorised – was held to be key in determining if the act was done in the course of employment and therefore something for which the employer should be vicariously liable. Clearly, that situation did not pertain here; it was accepted that Skelton’s actions were taken with the intention of harming Morrisons. However, despite the fact that he would be making a victim liable for the consequences of the perpetrator’s actions, in light of the factors set out below, the Judge determined that it was right that Morrisons should compensate the Claimants.
The Judge’s reasons for coming to this conclusion were as follows:
- Morrisons claimed that imposing vicarious liability for an employee deliberately and without authorisation leaking personal data would have a chilling effect on the ability of companies to process data; the Judge rejected that submission, noting that this was the first case of its type to come before the English Courts in the almost 20 years since the passing of the Data Protection Act 1998;
- There was an unbroken thread between Skelton’s employment and the data leak:
Dealing with personal data was a task assigned to him as part of his job as a senior IT internal auditor;
b. He came into possession of the data legitimately in that role;
c. He had the data in order to disclose it to a third party (Morrisons’ auditor, KPMG);
- Although he held a personal grudge, which influenced his actions, that grudge was related to his employment in that it arose out of his dissatisfaction with the disciplinary actions taken against him by Morrisons; and
- Morrisons was not the only victim of Skelton’s acts – the data subjects all suffered too.
The Judge had some intellectual difficulty with the consequences of his decision, and noted that he was concerned that he had rendered the Court an accessory to Skelton’s criminal aims. He therefore granted Morrisons leave to appeal his decision on vicarious liability, should it wish to do so.
Liability Under US Law
Unlike the United Kingdom, the United States does not have a general Data Protection Act. However, this does not mean that the United States does not have data protection law or that there would not be consequences for a similar action. If a similar situation were to occur in the United States, both an individual employee and the employer would face potential liability.
An analogous case in the United States could lead to criminal prosecution (similar to Skelton, who received a prison sentence) and civil liability for statutory and tort-law claims against the rogue employee. The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, criminalises obtaining information from computers without authorisation or beyond authorised access, causing damage as a result. 18 U.S.C. § 1030(a)(5)(C). The CFAA also provides for civil liability, where any person who suffers economic loss exceeding $5,000 within a one-year period may recover damages. 18 U.S.C. § 1030(c)(4)(A)(i)(I).
A rogue employee in a similar situation in the United States could also face common law tort claims. While US courts have been slow to recognise the applicability of traditional tort claims in the data privacy context, and have been divided on whether victims of a data breach can establish Article III standing (US federal courts require plaintiffs to show that they have suffered harm, which must be more than speculative or possible, as a result of the alleged violation), several tort claims may be available: public disclosure of private facts (publicising information that would be highly offensive to a reasonable person and is not newsworthy); conversion (intentional assertion of control over another’s digital information to interfere with the owner’s right to control it); and intentional infliction of emotional distress (causing severe emotional distress by extreme and outrageous conduct).
A number of US corporations have already faced liability for data breaches in class actions. Anthem, a large health insurance company, entered into a $115 million class action settlement with data breach victims. Equifax is now facing class actions based on its data breach in fall 2017. Although these actions did not involve questions of vicarious liability, it is possible that a US company could also face vicarious liability for the tortious actions of an employee in a data breach case. Under the doctrine of respondeat superior, employers may be held vicariously liable for tortious acts committed by employees in the scope of their employment, although employer liability does not extend to acts that are clearly inappropriate to or unforeseeable in the context of the employment.
Consequences for Employers
Although the Judge in the Morrisons case noted that it was a rare occurrence for employees to leak personal data maliciously and against the interests of their employer, this case shows that it can and does sometimes happen. Given current trends, the ability to use data as a weapon against employers by employees with a grudge may well increase. If an employer has not itself breached data protection laws and yet can be liable for the criminal acts of its employees in breaking those laws, what are employers to do?
A good compliance programme is key. Training staff and ensuring that the policies and processes around data processing are robust will be the best form of defence. Monitoring the activities of employees who have access to large amounts of personal data may well also be appropriate, and the perception that this in some way implies a lack of trust in those employees must be dispelled. In case all of the preventative actions fail, having in place a robust, tested, incident response plan to deal with the breach, and appropriate cyber liability insurance, will help to remedy the situation after the event.
 Various Claimants v Wm Morrisons Supermarket PLC  EWHC 3113 (QB)
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.