6 November 2018

Employers are liable for rogue employees causing data breaches

The Court of Appeal has upheld a decision of the High Court which found that the Morrisons supermarket chain was vicariously liable for a massive data breach caused by a disgruntled former employee affecting many thousands of its workers. The ICO confirms that fines are set to increase substantially, and the EU-US Privacy Shield lives on (for now).

In 2014, in what is believed to be one of the largest data breaches ever in the UK, the bank details, salary and National Insurance details, dates of birth and addresses of nearly 100,000 employees were posted on data sharing websites by the disgruntled employee.  In July 2015 the rogue employee was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data.

A group of nearly 6,000 current and former employees claim that the data breach has exposed them to the risk of identity theft and financial loss and that the supermarket was responsible for breaches of privacy, confidence and data protection law.  The group has also sought compensation from the supermarket for the distress and inconvenience caused.

In December 2017, the High Court held that although Morrisons was the target of the criminal’s wrongdoings and was not at fault in the way it protected the employees’ data, it was vicariously liable for the breach and actions of its former employee.  The High Court judge granted Morrisons permission to appeal on the grounds that he was ‘troubled’ that his findings may have rendered the court ‘an accessory in furthering the criminal’s aims’ because it was clear that the employee’s motivation in leaking the data was to cause damage to his employer.

The Morrisons case dealt with the liability of employers for the improper use of personal data by ‘rogue’ employees acting outside the permissions of their employer.  The Court of Appeal made a lengthy analysis of the law on vicarious liability and where a statutory scheme displaces it.  They concluded here that the Data Protection Act 1998 did not exclude such a claim.  We have reviewed the 2018 Act on the same basis and concluded that the same would be true under the amended law.  So under the DPA 2018 employers will continue to be at risk of being held vicariously liable for the wrongful acts of their employees in respect of personal data.  Having compliant data protection policies and procedures will be of even greater importance under the DPA 2018, as failing to do so exposes employers both to primary liability for an employee-caused data breach (for example if insufficient security controls were in place) and also to regulatory fines for non-compliance, which can reach up to 4% of annual turnover.

This case is notable as it is the UK’s first successful group claim (akin to ‘class actions’ in other jurisdictions) for a data breach.  Group claims may gain in popularity as a means for individuals whose personal data has been processed or disclosed improperly.  If the case proceeds further, those who process personal data on a large scale will be watching closely as the Court examines the nature and extent of the damages claimed, which could prove to be very substantial across more than 5,000 claimants.

Morrisons has stated that it will now seek to appeal to the Supreme Court.

Heathrow Airport fined for losing personal data including the Queen’s personal travel details

The Information Commissioner’s Office (ICO) has fined Heathrow Airport Limited (HAL) £120,000 for misplacing a USB stick containing airport security data.

The unencrypted USB stick was left inadvertently on public transport by a HAL employee, and is believed to have contained documents pertaining to maps of CCTV cameras, restricted area identifications, as well as airport security patrol timing and routes.  The device even contained the precise route travelled by the Queen when she would use the airport.

The device, which was also not password protected, was found in October 2017 by a member of the public in West London who viewed the contents at a local library before taking it to a local newspaper. The paper recorded the data before returning it to HAL.

According to the ICO, the stick contained 76 folders and over 1000 files, including the names, DOBs and passport numbers of 10 individuals, as well as the details of almost 50 HAL security staff. Furthermore, reports around the time of the incident suggest that documents comprising 2.5GB of the USB device were marked as “confidential” or “restricted”. The ICO declined to comment on these reports, stating it only investigates cases relating to personal privacy.

During their investigation, the ICO found that only 2% of HAL’s employees had received data protection training, and that staff frequently violated internal policies preventing staff from downloading personal data onto removal storage devices. However, after being made aware of the breach, HAL took several steps to remedy the situation, including informing the police and hiring specialists to monitor internet and dark web activity for evidence that the data had been posted or sold.

It is worth noting that, as the breach occurred in October 2017, the case was dealt with under provisions of the Data Protection Act 1998. Given the serious nature of the breach, it is likely that a similar breach in the future will result in a considerably larger fine.

Facebook fined a maximum of £500,000 by the ICO

On October 25th 2018, the Information Commissioner’s Office (ICO) followed up its Notice of Intent issued in July of this year, and imposed the maximum £500,000 fine on Facebook for data protection breaches. The fine relates to breaches in connection with access to Facebook user data for up to 87,000,000 Facebook users worldwide, by a researcher and his company, who were also found to have sold some of those personal data, in breach of Facebook’s policies, including to the parent company of Cambridge Analytica, who were involved in political campaigning in the United States.

The ICO found that the breaches in question occurred between 2007 and 2014, and that upon discovering the improper use of data in December 2015, Facebook did not take adequate and swift action to seek to minimise the impact on users, for example by ensuring that improperly obtained data were deleted by third parties.  The ICO fine was issued under the Data Protection Act 1998, which provided for a maximum fine in the amount of £500,000.

Appearing before the Digital, Culture, Media and Sport Committee on November 6th 2018, the Information Commissioner confirmed that a much higher fine would have been issued if permitted under the 1998 Act.  Under the Data Protection Act 2018, and the EU General Data Protection Regulation, the maximum fine available would be 4% of Facebook’s global annual turnover.

EU – US Privacy Shield Framework survives second annual review

As we previously reported, the European Commission has been monitoring the EU-US Privacy Shield Framework, established in 2016, which permits the transfer of personal data between the EU and the United States.  The EC and senior officials from the United States government, together with European data protection authorities, met recently for the second annual review of the Privacy Shield framework.

In a joint press statement issued by Commissioner Věra Jourová and the US Secretary of Commerce, Wilbur Ross, it was noted that since the last annual review of the Privacy Shield, the US has taken steps to meet deficiencies raised earlier in the year by the European authorities:

  • Vacancies on the US Privacy and Civil Liberties Oversight Board (PCLOB) were filled, restoring both a chair and a quorum to the Board;
  • In an increase in transparency, the PCLOB declassified its report on a presidential directive which extended certain privacy protection to foreign nationals in relation to the interception of communication signals.
  • An Ombudsperson for the US Privacy Shield Ombudsperson Mechanism has also recently been appointed.

Discussions also addressed recent privacy incidents involving the personal data of Europeans as well as Americans.  The US Commerce Department confirmed that it would revoke the Privacy Shield certification for companies that do not comply with its data protection requirements.  The EU and US officials stated that they will continue to work together to ensure the Privacy Shield Framework functions as intended.  The EC will be publishing a report on its findings in relation to the functioning of the Privacy Shield by the end of the year.