Recent research shows that employees regularly send their work files to their personal e-mail address or store them on their personal laptops. However, there are risks for employers associated with this, as evidenced by a recent issue in the United Kingdom. There, British supermarket chain Morrisons was held liable for a data breach of payroll data of nearly 100,000 Morrisons employees. The perpetrator of the data breach was an employee of Morrisons himself, who had stored the payroll data on his own personal USB flash drive and then maliciously published the information on the Internet. This raises several legal questions, including about liability. Can an employer actually be held liable for the damages of a data breach caused (maliciously) by its own employee? In this blog, we consider this.
Authors: Karen Knook, Sejla Okanovic
An external auditor of Morrisons needed various data to conduct an annual audit. The external auditor's request asked for a copy of Morrisons' payroll data. Morrisons' internal senior IT auditor, Mr. S., obtained the HR department's payroll data on an encrypted USB flash drive on Nov. 1, 2013, in order to then place it on an encrypted USB flash drive for the external auditor. No sooner said than done. However, several days later on Nov. 18, Mr. S. copied the payroll data onto a personal USB flash drive at work with the intention of later publishing it on the Internet. In anger for an earlier disciplinary warning, on Jan. 12, 2014, Mr. S. published a file of payroll data from his personal USB flash drive on a "file sharing" website. This was payroll data for nearly 100,000 Morrisons employees and included names, addresses, gender, dates of birth, citizen service numbers, bank information and salary information. Mr. S. intentionally posted the data under a colleague's name for deception. Shortly thereafter, Mr. S. distributed links to the file sharing website elsewhere on the Internet as well.
Two months later, in March 2014, Mr. S. anonymously sent a CD containing a copy of the payroll data to three British dailies. The dailies did not publish the data, but notified Morrisons that same day. Morrisons immediately called in the police, and within a few hours measures had been taken to take the website containing the data offline.
A few days later, Mr. S. was arrested. He was eventually sentenced a year later to eight years in prison for fraud, unauthorized access to computer materials and publishing personal information.
A group of 5518 Morrisons employees then filed a class action against Morrisons for damages for misuse of personal information, breach of trust and violation of the Data Protection Act 1998 (Data Protection Directive Implementation Act, predecessor AVG). The lawsuit was split into a liability case and a damages case. This blog focuses on the liability ruling. In doing so, on December 1, 2017, the High Court ruled that Morrisons was liable as an employer for the data breach caused by Mr. S. as an employee. Morrisons was not jointly and severally liable under English law because Mr. S.'s conduct was not done on behalf of Morrisons and Morrisons was not the data controller (namely, Mr. S. was). However, Morrisons did have 'secondary' liability(vicarious liability) as the employer. Indeed, there was a sufficient connection between Mr. S.'s work and the publication of the payroll data. This connection was established for the following reasons:
Mr. S.'s conduct was a continuous, unbroken chain of events related to S.'s work;
Morrisons had knowingly entrusted Mr. S. with the data in the course of his work. Morrisons had taken the risk that it might be wrong to trust Mr. S. with the data;
Morrisons instructed Mr. S. to receive the payroll data, store it and submit it to the external auditor. That was essentially his job. The fact that he chose to publish the data on the Internet, despite the fact that Morrisons did not consent to this and it was an unlawful conduct, was closely related to his job;
The connection was also sufficient regardless of the fact that the payroll data had been published outside working hours, from a personal computer, several months after the data was copied, and intentionally to harm Morrisons.
Morrisons appealed this High Court ruling. On October 22, 2018, the the Court of Appeal held the appeal to be unfounded. The appellate court concurred with the High Court' s ruling . Morrisons has indicated it will appeal to the Supreme Court.
The English court's ruling concerns secondary liability under English law(common law). In the Netherlands, secondary liability is regulated in Section 6:170 of the Dutch Civil Code. This article covers the employer's strict liability and provides that the employer is liable for damage caused to a third party by an employee's fault. The third party who has suffered damage must then prove that the likelihood of the mistake was increased by the employee's task, while the employer had control over the conduct in which the mistake was made. Thus, there must be a connection between the act and the employee's duty.
Next, for damages, it is necessary to look at Article 7:661 BW, which is an elaboration of Article 6:170 BW. This article stipulates that the damage is for the employer's account, unless the employee caused the damage through intent or recklessness. In the latter case, therefore, the damage is borne by the employee. In the case of Morrisons, Morrisons might have been liable in the Netherlands, but the damage might be for the employee's account via Article 7:661 of the Civil Code. The employer must prove intent and deliberate recklessness. Case law shows that employers often fail to do so. The burden of proof is thus high to prove that an employee caused damage intentionally or knowingly recklessly.
Incidentally, it is also possible for the Netherlands to initiate collective actions under Article 3:305a of the Dutch Civil Code. Especially in large data breaches, such as the Morrisons case, where many people are affected, a collective action can be a solution. Here, a group can obtain a declaratory judgment that person X (or in this case: the employer) is liable and then use that declaratory judgment to claim damages in individual proceedings.
Article 82 AVG also states that the person who has suffered material or immaterial damage has the right to receive compensation from the controller or processor for the damage suffered.
The outcome in the Morrisons case shows that employers can be held liable for data breaches caused by (malicious) employees. Especially in large-scale data breaches, those affected whose data is affected can join forces to start a collective action. The possibility of starting a collective action is also possible under Dutch law, although damages can then (for the time being) only be claimed in individual proceedings.
So how can you guard against liability as an employer? First of all, it starts with AVG compliance and measures to prevent data breaches. Make sure you take adequate organizational and technical measures to secure personal data. The Morrisons case also points out that it is wise to establish clear rules within your organization regarding the use of work files, for example by means of an ICT protocol for your staff. Who all has access to these files and is this access logged? May work files also be sent to a personal e-mail address or stored on a personal computer/USB stick?
In addition, make sure you have a data breach protocol so that everyone in the organization knows how to act in the event of a data breach.
Incidentally, employers can also insure against such incidents as in Morrisons. The English appeals court also pointed this out in its ruling. Nowadays there are special insurance policies for data breaches.
This article can also be found in the Data Breach file
