GDPR - Rogue Employees and Data Breaches

Thursday, May 31, 2018

The General Data Protection Regulation (GDPR) which came into force on 25 May 2018, requires businesses subject to major personal data breaches to notify such breaches to the authorities. As well as the legal liability, there is the prospect of substantial reputational damage for businesses which do not properly secure their customers’ or employees’ data.

A rogue employee at UK supermarket chain Morrisons committed a criminal offence by putting the personal information of almost 100,000 employees on the internet. The High Court held that Morrisons was responsible.

Vicarious liability is the legal principle whereby one person is found liable for the unlawful acts of another. Employers can be liable for the actions of their employees, even where the employer has done nothing wrong.

Data breaches are a major concern for business. In this case the employee was a senior internal auditor at Morrisons’ headquarters. He bore a grudge against his employer after being disciplined for using the company’s mail room to operate an eBay business. He leaked employees’ payroll data online and alerted a number of newspapers about the leak.

The leaked information contained the bank account details, home addresses and telephone numbers of many employees,including checkout staff and shelf stackers. The employee was later jailed for 8 years for his actions. Around 5,000 of the affected employees brought claims against Morrisons for breach of the Data Protection Act 1998, misuse of private information and breach of confidence. While the company was not found to be directlyliable under the Data Protection Act (as it was not acting as the data controller in relation to the leaked data at the time it was leaked), the UK High Court found that Morrisons was vicariously liable for breaches of duties under the Data Protection Act, misuse of private information and breach of confidence. Despite Morrisons not being aware of the employee’s misconduct until the leak took place, the UK High Court found that there was a sufficient connection between the employee’s illegal actions and his employment, as Morrisons chose (incorrectly) to entrust him with the confidential information and when he covertly copied the data, he was doing so in his role as Morrisons’ employee.

Morrisons spent £2m in addressing the leak and now, subject to their appeal of the UK High Court’s judgment, face paying a significant amount of compensation to a large number of its employees.

The case emphasises the need for businesses to have a plan in place to deal with any data leak incidents and seek insurance cover for the same. Having a “dry run” to replicate a response to a rogue employee’s actions would be advisable. Businesses should also seek to restrict access to their most sensitive data to only those employees who have a genuine and strong need to access it, as well as ensure that all employees are trained on their obligations.



Paul McAleavey, Employment Law Solicitor, Girlings Solicitors T 01233 664711.