The Insider Threat: Another Dimension

14 December 2017

Rogue employees can cause a company significant reputational harm. They have insider information into an organisation’s security practices, data, and computer systems – its trade secrets.  Although organisations are becoming increasingly alive to this risk and the need to protect their proprietary and confidential information, the scope of the risk itself is broadening. 

The High Court in Various claimants v WM Morrisons Supermarket plc [2017] EWHC 3113 (QB), 1 December 2017 (“Morrisons”) has found that an employer can be vicariously liable for an employee's disclosure of personal data of co-workers on the internet.

This case concerned a rogue employee who deliberately and criminally disclosed personal data belonging to co-workers (including bank and salary details) to a file sharing website and then onto newspapers. It is also the first US style group litigation data breach case to come before the courts in England (the Target class action in the US resulted in its directors and officers being sued for a data breach and an $18.5m settlement). The compensation payable to the claimants collectively by Morrisons under the Data Protection Act 1998 is expected to be substantial.

The impact

Interestingly, this case did not concern data protection laws but was instead based on the established principle of vicarious liability. The impact being that a company is responsible for the unauthorised actions of an employee – even when those actions are (a) prohibited, and (b) are aimed to cause harm to the company.  

The penalty faced by a rogue employee in such scenario would not come close to offsetting the damage caused. In Morrisons, the Court heard that the data breach had already cost the company £2million in costs for dealing with the aftermath of the breach (and this does not take into account other financial loss sustained by ongoing reputational damage).

The Court did consider in detail the measures Morrisons had in place to protect the data including the supervision of employees and their access to data. It recognised that these are useful precautionary measures which should be reviewed regularly. However, Morrisons also confirms that technological and organisational measures themselves are not enough. A robust system could not have prevented the rogue employee who was trusted from carrying out such an attack.

With the GDPR on the horizon, it is plausible for a multinational company to face multijurisdictional class actions in Europe as a result of a data breach.  The impact on a business if this were to happen would be enormous.

What to do?

  • A robust security system is still a must: Companies that are affected by a data breach that is not as a result of an employee are unlikely to be held liable if they have taken appropriate security measures. A company also has a better chance of detecting and mitigating the damage caused by a rogue employee if they have the right systems in place.
  • Maintain a comprehensive training and surveillance policy: It is important to set boundaries, to communicate a code of conduct that employees must adhere to, and highlight activities detrimental to the business. Dealing with the aftermath of a rogue employee or bad leaver is easier if an employer can rely on a policy. An employee who can prove they acted responsibly would see a reduction in the damages payable.
  • Know your employees: It is legal for an employer to carry out monitoring and surveillance of its employees. In some cases employers have a legal duty to monitor employees. This is, however, a grey area and much would depend on the scope of the employment contract. Legal advice should be sought on how to implement a monitoring and surveillance system. It is a fine balancing exercise between an employee’s right to privacy and the right to prevent them from causing a company and others harm.     

Morrisons has indicated that it will appeal the vicarious liability finding. Watch this space. 

Receive our monthly newsletter

About the Author


+1 646 934 6219
Our 24 hour number
+1 646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.