Our guest blog this month is from John Green of GDPR Training Ltd, our partners who deliver GDPR training to several of our clients. John is a solicitor specialising in data protection matters.
Recently we have seen the long awaited judgment in the Court of Appeal case of Morrisons regarding a malicious data leak by one of its employees and the potential implications for employers faced with having to pay crippling compensation.
This case involved a senior and trusted employee of Morrisons, Skelton, who, as a senior IT internal auditor, had legitimate access to a large database of payroll totalling almost 100,000, the database contained such information as names, addresses, gender, dates of birth, telephone numbers, National Insurance numbers, bank account details and details of salary.
Skelton deliberately leaked these details on the dark web and tried to frame a colleague. He was arrested and convicted in July 2015 for breaches of the Computer Misuse Act 1980, the Data Protection Act 1998 and sentenced to 8 years imprisonment.
So far over 5,000 of those 100,000 Morrisons’ affected employees have brought a claim. The matter has been split into the issue of liability and the issue of damages.
The Court had to decide firstly whether Morrisons were directly liable for the breach under the Data Protection Act 1998 and secondly whether they would be vicariously liable for the malicious acts of their employee.
On the first point the Court found that Morrisons was not the relevant controller at the time of the breach, Skelton was, and so Skelton would be directly liable under the Data Protection Act 1998. Morrisons did not owe a direct duty to those on the database under the Data Protection Act 1998 as they were not the controller that carried out the breach.
It was found that Morrisons had done all they could in terms of appropriate technical and organisational measures as per principle 7 of the Data Protection Act 1998 (superseded on 25 May 2018 by Art 5(1)(f) of the General Data Protection regulation which contains similar terms). The only criticism of Morrisons was that it failed to ensure Skelton had deleted the personal data after its use but overall their data protection was quite good.
The Information Commissioner’s Office (ICO), the supervisory Authority in the UK, did not pursue Morrisons as they felt Morrisons had implemented appropriate technical and organisational measures, they viewed Morrisons as the victim of a criminal act. As a result it was held that Morrisons were not directly liable to those on the list for the actions of the rogue employee Skelton.
The second decision for the Court to make was whether Morrisons should be vicariously liable for the malicious acts of this employee where his intentions were to cause maximum damage to Morrisons and indeed carried this act out in a criminal manner.
At first instance the Court found that Morrisons were vicariously liable for the malicious acts of its employee. The Judge was troubled with the concept that the Court was acting as an accessory to Skelton in helping a criminal achieve his goal of damaging Morrisons due to the potential financial implications to Morrisons of such a breach and on his own motion, gave leave to appeal.
At the Court of Appeal advanced arguments were raised by Morrisons that the Data Protection Act excluded vicarious liability. The Court was unimpressed with such arguments and found it clear that the Data Protection Act does not exclude vicarious liability and on the facts of the case (vicarious liability is very fact-specific), Morrisons should be vicariously liable for the acts of Skelton.
A third argument put forward by Morrisons barrister was Skelton wasn’t “on the job” at the time he committed his criminal acts and that therefore meant Morrisons would not be vicariously liable for Skelton’s action. However the Court found that irrelevant and quoted Lord Toulson JSC from Mohamud where he said at para 40:
“The risk of an employee misusing his position is one of life’s unavoidable facts.”
Morrisons submitted that the financial implications to them could have the intended effect of a criminal as it’s potentially a devastating financial blow to Morrisons due to the number of claimants involved, almost 100,000. The Court did not accept this, vicarious liability applies regardless of intention and consequences.
The Court recognised there had been a number of reported large scale data breaches in the media which could have potential ruinous consequences for those involved. The Court said the solution for such an outcome is a matter of insurance and employers need to look to insure themselves against potential rogue acts by employees.
The Court was not told what Morrisons’ insurance position was but, in any event, it cannot affect the result.
What employers need to do
The Court found that Morrisons had put everything in place to ensure adequate data protection, such as training, therefore they were not primary liable.
The Court recognises that employees who have access to large amounts of personal data are a potential huge liability for business and the only answer is to ensure you are adequately insured as you will be vicariously liable.
Therefore all employers need to:-
- Ensure they role out a program of compulsory annual training to prevent primary liability for any data breaches of your employees, whether accidental or malicious and to ensure your insurer will indemnify you (insurers are unlikely to indemnify you if you have not had any compulsory training in place).
- Speak to their insurer with regard the following: o There is sufficient insurance to cover acts of rogue employees.
- There is sufficient insurance to cover human error (by far the biggest threat).
- Whether the insurance policy will indemnify if the Information Commissioners’ Office finds no adequate training has been put in place.
- Ensure appropriate access controls are in place
Why compulsory training?
The biggest threat to any employer for data leaks is not a Skeltonesque malicious employee but more commonly, simple human error. In addition to internal policies and procedures, training is paramount.
When reading the ICO penalty notices, in the vast majority of cases disclosure of personal data was due to lack of training and thus the employer had failed to put in place appropriate technical or organisational measures.
Some data breaches now require mandatory reporting to the ICO. When doing so one of the questions posed is whether the person involved in the breach has had data protection training within the last 2 years. The cost of sanctions could potentially far exceed any investment your organisation makes.
An insurer may well escape liability for a big claim if it cannot be demonstrate the person involved has had appropriate data protection training.
As a minimum I would recommend at least the following compulsory training program for all employers
- Annual 20 minute eLearning for employees who handle personal data on a day to day basis
- Annual 1 hour eLearning for managers
- Annual ½ day face to face training for those who legitimately have access to large amounts of personal data or process special categories of data, especially the likes of IT, human resources, payroll and auditors.
- 1 day step by step, face to face course for those who are in charge for data protection implementation.
To assist all employers, GDPR Training, carry out free, no-obligation data protection training needs assessments.
About the author
John Green is a solicitor of 13+ years standing. He is in house solicitor to GDPR Training Ltd a company providing online all staff data protection eLearning, public data protection courses and in house bespoke training. John is also a consultant at Green Legal Assistance and advises on data protection matters.