The UK's highest court recently ruled that Morrisons, a supermarket group, was not vicariously liable for the criminal act of an employee with a grudge who leaked the payroll data of about 100 000 members of staff.
Many companies sighed in relief on hearing that the Supreme Court of Appeal did not hold Morrisons vicariously liable. Vicarious liability is the legal principle of holding someone responsible for the acts or omissions of another, and it is most often applied in the employer-employee context. The principle is an equitable one and is common in most jurisdictions, including South Africa.
While English law and South African law share many similarities, we caution that when it comes to the application of the principles of vicarious liability, South African courts have developed slightly different rules. Despite this, the case serves as an important reminder that it is possible for an employer to be held vicariously liable for a data breach caused by an employee, in the event that the act or omissions by the employee that led to the data breach occurred in the course and scope of the employee's work. The determination of whether an employer may be held liable for the acts or omissions of its employee will need to be determined in light of the facts in each case. This means that there is no general rule to avoid this risk, but there are some general guidelines that should be followed to mitigate it.
The risk of an employee being the cause of a data breach is generally high. There are numerous statistics that show that the weakest link in a company's cybersecurity is often employees and contractors. With a large number of employees now working from home, this risk has increased. Valuable insights in respect of risk reduction can be drawn from the Morrisons case.
The facts of the Morrisons case, briefly, were that Mr Skelton (a disgruntled employee) had been delegated the task of providing payroll data to Morrisons' external auditors (KPMG in this instance). Once Mr Skelton was granted access to the payroll data, he dutifully passed it on to KPMG. However, he also went on to upload a file containing the data of 98 998 of the employees to a publicly accessible file-sharing website, with links to the data posted on other websites. It turns out he was actually trying to frame another colleague and anonymously informed the press about the leak of data..
In light of this case, we set out a few tips on how to mitigate the risk of being held vicariously liable for a data breach caused by an employee.
- Be conscious of and plan for the risks associate with working remotely - See our article on the risks associated with remote working and how to prevent them here.
- Have a robust and practical data sharing
policy - ensuring that the appropriate processes are in
place when it comes to data sets is important, here are a few
points which a data sharing/processing policy should deal with:
- Separate data sets - companies retain data for a number of different purposes, it is important to ensure that these data sets are logically separated. For example, your payroll data should not be mixed up with your marketing database. If, in the Morrisons case, the payroll data provided to Mr Skelton also included the entire customer database, the potential liability would have been far more extensive. Furthermore, ensuring logical separation of data sets makes that data more valuable to a company as it can be more efficiently processed for its purpose.
- Ensure strict controls around data access and sharing - policies must be implemented to ensure that employees are only granted access to data that is required for them to perform their functions. In the Morrisons case, Mr Skelton had to first request the payroll data, he did not just have it saved on his computer. If data sets are readily accessible by any employee, the type of conduct in the Morrisons case would be more likely to occur, even if negligently. Had the data been simply available to Mr Skelton, the data subjects would probably not have based their claims on vicarious liability, but rather on Morrisons' failure to protect its data.
- Provide clear instructions when data must be shared with employees for processing - when granting an employee access to data sets for specified purposes, be sure to specify those purposes (in writing) and keep a log of who was granted access, the purpose for that access and ensure that once that purpose has been fulfilled the data set is returned and no longer accessible to the employee. On the facts of the Morissons case, the log of request proved that the employee had to first request access to the payroll data. Furthermore, the instructions to Mr Skelton were clear and indicated that he had been granted access for a specified purpose only. This went a long way in proving that the disgruntled employee had ulterior motives which fell outside the scope of his duties.
Disgruntled employees causing a data leak would be as much a data breach, as an employee being duped by a phishing scam. It is essential to ensure that your potential liability is reduced in both as well as related scenarios. If you need assistance with formulating the appropriate data retention and processing policies, contact our experts at ENSafrica.
Originally published 28 APR 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.