Will an employer be held liable if an ex-employee commits a data breach?

Q. Will employers be held vicariously liable if an angry ex-employee commits a data breach and decides to post personal data online?

We're going to start off today with data protection. So Seamus, the question here is about a fairly well-reported case of Morrisons supermarket. The employer has been held liable for a data breach committed by a disgruntled employee. And that hardly seems fair on the company. Could you explain how this came about? And does it mean all employers could be held liable to compensate employees and customers if an angry ex-employee decides to post personal data online?

Seamus: This was case that was relating to Morrisons supermarket. It has been well reported. But the background to it was that the employee was Andrew Skelton and he was 43. This was based at around the Liverpool area in terms of Morrisons. And that he was employed in a fairly senior position of Senior Internal Auditor.

And the circumstances had arisen where there was some disciplinary proceedings taken against the employee that was reported to do with legal haze. And another advance of the employee exiting his position he had an unfortunately taken data including bank and salary details of nearly 100,000 staff at Morrisons.

With that information, he proceeded to post that online, and he sent it to a number of newspapers so that they would report that this was capable of happening within Morrisons. And following that the employees were made aware, and they subsequently took a class action in the court system.

And so with a total of 5,518 former and current employees of Morrisons, and they were saying that essentially Morrisons was responsible for the breach. And for the breach of their privacy, their confidentiality and their data protection, and they're seeking compensation for upset and distress as a result of that. And so we then turn to the court outcome in relation to it.

Now the court were very clear that the employee Mr. Skelton had acted in a deliberate manner to do this. It wasn't a situation where there had been a breach by mistake or by accident. This was a deliberate set of circumstances by this employee who was disgruntled. So there was no doubt that there was an element of responsibility with the employer. And my understanding is the employee... there was a jail sentence that was given in relation to his actions.

But interestingly, as we know, this was a circumstance that happened at Morrisons. They are the employer and that the court found that they were vicariously liable. Decided they weren't primarily liable and they ruled that there was no breach of data protection, but they said that the Morrisons had the responsibility for keeping personal data secure. And that the responsibility for confidentiality lies with the organization. And really it looked at and focused at as to how Morrisons protected the data, and protected the rights of their employees.

Scott: They gave him a laptop and effectively allowed him to take it home. I think there were issues about how that was controlled. If they'd done more, perhaps he wouldn't be in a position to post it.

Seamus: Yeah. And the court said that . . . its key question was what appropriate steps were taken to protect the data? And was there appropriate response to the incident itself. So, there was a finding that they were vicariously liable. And the employees are claiming compensation for their upset and distress. Morrisons have appealed that decision. And I think that's probably not surprising given the fact that the judgement would seem somewhat unfair to Morrisons, and the fact that this was a deliberate act by a disgruntled employee.

But the court was clear that Morrisons are ultimately liable here. And if my information is with a third party, I do expect that they will protect that. And I will want to know what was going wrong if that doesn't happen. So they have appealed that. What we do know is that Morrisons has said that it has taken over £2 million in order to try and address the issues.

Q. Are they likely to receive a fine from the ICO?

Scott: And that's before any fines from the ICO and that's before compensation for these employees?

Seamus: Absolutely. This is just money that Morrisons have spent in order to try and rectify the situation, and in terms of the data and with their employees. And so, I mean, on top of that where we're looking at is, I would suspect that there will be an ICO fine that will arise, and their current standards at the minute under the existing data protection there's a maximum of £500,000 in that.

Of course, changes when GDPR comes in which could go up to €20 million or 4% of on the turnover which could be a serious kick. And the other aspect then, of course, is that the court have to make a finding subject to this appeal in terms of how much the employees could be awarded in terms of their upset and distress.

Scott: And most of those 5,000 employees presumably are 5,500, there's others in the background as well presumably that they may have come forward since this judgement.

Seamus: Well, we know that the total leak affected over 100,000 employees. So really, it's a smaller number that have come forward with the court case. And you would expect that if there is a judgement and that they are not precluded on the statutory basis or anything like that that they will follow through as well.

Scott: It's a bit harsh on supermarkets. They were found liable for an employee who beat up a customer in the forecourt not that long ago. And I believe there was another issue with Morrisons.

Q. What about consent?

Seamus: I know that there are concerns, and people are worried about GDPR coming in in May time. But just as I was doing a bit of research in relation to that I did come across there was a further Morrisons report of June 2017 on the ICO website.

What's specifically interesting about this one when it comes to GDPR is in around the area of consent. That back case it happened that Morrisons had been found had deliberately sent 130,671 emails about marketing-related activities for Morrisons to members of the public, that related all to their loyalty card. That's where they got the emails from the addresses, and started to send the emails right was through the loyalty scheme that they had.

And those emails were sent in October/November 2016. And I talked about their current details and it provided various promotional and marketing material within those emails. And the fine in relation to that that was issued by ICO because they said that that was a breach, was for total of £10,500.

And so not a massively significant fine, but certainly where I think that this will lead to would be if this happens post-GDPR in May, and we know that under GDPR that the consent has to be express. So it's no longer acceptable to have a pre-tick box and that the consent has to be clear and unambiguous. And I think that if this takes place or something similar happens post-GDPR, I think that the fine will be substantially increased.

Scott: Well, my calculation on that, so you just get £10,500, so make it £10,000 because it's easier for me. And you take the maximum fine that the ICO can award and multiply it by 40 to 20 million rather than half 0.5 million, then you're looking somewhere in the region of £400,000 to £450,000 just on the breach. If they stick to the same limit. So it was sizable enough.

Seamus: Absolutely. And it just would be concerned. And I mean, I did a seminar yesterday on GDPR. And one of the issues was really specific and around marketing material. And had to be very clear with people that you do need to consent to do that. Where you don't have the consent, that is going to be a breach, and that you have to also have that option for someone to be able to withdraw their consent and to do that quite easily.

And I'm what works with some of the other difficult task. So very much gone are the days where people can buy commercial lists of email addresses for people to target for business. And under GDPR that's going to be a significant problem for people.