Ever wondered what would happen if your employee goes rogue and leaks confidential information? In a recent landmark decision, the High Court in Britain considered just that.
In 2014, Andrew Skelton, an internal auditor at the supermarket chain, Morrisons, published a file containing the personal information of nearly 100,000 fellow employees in an attempt to embarrass the company he worked for. He was found guilty of fraud, securing unauthorised access to computer material and disclosing personal information. The supermarket chain was awarded £170,000 in compensation as a result of the data breach and Mr Skelton was jailed for eight years.
Subsequently, over 5,000 current and former Morrisons employees brought a claim that the data leak had exposed them to potential identity theft and other financial loss. They sought compensation for the distress and loss caused. Morrisons denied liability, arguing that the company was not liable either directly or indirectly for Mr Skelton's criminal misuse of the data and that it had already suffered serious damage as it incurred £2 million costs as a result of the data breach.
Mr Skelton had been upset by disciplinary procedures he had been subject to for using the the company’s mail room to sell items on eBay. He decided to take revenge by publishing Morrisons’ pay roll data. He did this by publishing the information on a file sharing website and sending the link to three newspapers.
In hearing the claim by Morrisons’ employees, the judge cleared the company of primary liability, ruling it had not breached data protection principles. He said: "Morrisons have not been proved to be at fault by breaking any of the data protection principles [of Britain’s Data Protection Act 1998], and neither primary liability for misuse of private information nor breach of confidentiality can be established."
But the judge said Morrisons was vicariously liable for Mr Skelton’s actions under the extended concept of acting in the course of employment. Vicarious liability means an employer can be liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment.
New Zealand context
This situation might have unfolded differently if it had occurred in New Zealand. Section 126(4) of the Privacy Act protects employers against an employee’s unauthorised release of information, if the employer can prove they have taken reasonable steps to prevent employees from leaking information.
Information privacy principle 5 of the Act might be the new best friend of employers. Principle 5 protects employers who have taken reasonable steps to prevent unauthorised disclosure of personal information.
Possibility of appeal
It is interesting to note that the British privacy legislation has a similar defence to section 126(4) - section 13(3). Morrisons raised section 13(3) as a defence to Mr Skelton’s actions but the Court did not address this argument. Time will tell whether Morrisons will appeal the decision and use this defence again.
The Court concluded its decision by allowing Morrisons to appeal the finding of vicarious liability. We’ll note the outcome of that appeal, as it becomes available.
The implications for British employers for the time being are that they will need to revise their security measures concerning employee and customer information to protect more carefully against the rogue employee.
Image credit: Supermarket via Wikimedia Commons