The Insider Threat: Another Dimension
14 December 2017
Rogue employees can cause a company significant reputational harm. They have insider information into an organisation’s security practices, data, and computer systems – its trade secrets. Although organisations are becoming increasingly alive to this risk and the need to protect their proprietary and confidential information, the scope of the risk itself is broadening.
The High Court in Various claimants v WM Morrisons Supermarket plc  EWHC 3113 (QB), 1 December 2017 (“Morrisons”) has found that an employer can be vicariously liable for an employee's disclosure of personal data of co-workers on the internet.
This case concerned a rogue employee who deliberately and criminally disclosed personal data belonging to co-workers (including bank and salary details) to a file sharing website and then onto newspapers. It is also the first US style group litigation data breach case to come before the courts in England (the Target class action in the US resulted in its directors and officers being sued for a data breach and an $18.5m settlement). The compensation payable to the claimants collectively by Morrisons under the Data Protection Act 1998 is expected to be substantial.
Interestingly, this case did not concern data protection laws but was instead based on the established principle of vicarious liability. The impact being that a company is responsible for the unauthorised actions of an employee – even when those actions are (a) prohibited, and (b) are aimed to cause harm to the company.
The penalty faced by a rogue employee in such scenario would not come close to offsetting the damage caused. In Morrisons, the Court heard that the data breach had already cost the company £2million in costs for dealing with the aftermath of the breach (and this does not take into account other financial loss sustained by ongoing reputational damage).
The Court did consider in detail the measures Morrisons had in place to protect the data including the supervision of employees and their access to data. It recognised that these are useful precautionary measures which should be reviewed regularly. However, Morrisons also confirms that technological and organisational measures themselves are not enough. A robust system could not have prevented the rogue employee who was trusted from carrying out such an attack.
With the GDPR on the horizon, it is plausible for a multinational company to face multijurisdictional class actions in Europe as a result of a data breach. The impact on a business if this were to happen would be enormous.
What to do?
- A robust security system is still a must: Companies that are affected by a data breach that is not as a result of an employee are unlikely to be held liable if they have taken appropriate security measures. A company also has a better chance of detecting and mitigating the damage caused by a rogue employee if they have the right systems in place.
- Maintain a comprehensive training and surveillance policy: It is important to set boundaries, to communicate a code of conduct that employees must adhere to, and highlight activities detrimental to the business. Dealing with the aftermath of a rogue employee or bad leaver is easier if an employer can rely on a policy. An employee who can prove they acted responsibly would see a reduction in the damages payable.
- Know your employees: It is legal for an employer to carry out monitoring and surveillance of its employees. In some cases employers have a legal duty to monitor employees. This is, however, a grey area and much would depend on the scope of the employment contract. Legal advice should be sought on how to implement a monitoring and surveillance system. It is a fine balancing exercise between an employee’s right to privacy and the right to prevent them from causing a company and others harm.
Morrisons has indicated that it will appeal the vicarious liability finding. Watch this space.