Can employers be held liable for the criminal actions of rogue workers who disclose colleagues’ personal data on the Internet? In an important test case arising from a huge data leak from the personnel files of a supermarket chain, the High Court has answered that question in the affirmative.
The case concerned a trusted IT specialist who worked for the chain but bore a grudge against it after receiving a disciplinary rap over the knuckles. He copied the personal details – including names, addresses, dates of birth, telephone numbers, bank details and salaries – of almost 100,000 of his co-workers from the chain’s personnel files and placed them on a file-sharing website.
The chain was tipped off about the leak after a CD containing a copy of the data was sent to three newspapers. Deeply concerned that the leak might expose its staff to fraudulent ‘phishing’ or identity theft, the chain took swift and effective steps to remove the data from the web. The perpetrator was in due course identified and, after he was convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA), he was jailed for eight years.
Lawyers representing more than 5,500 of the chain’s employees lodged damages claims against it, alleging that it was both, directly and indirectly, liable for the IT specialist’s misdeeds. The chain was alleged to have breached its strict duties under the DPA to protect its employees’ personal data. Other claims of misuse of personal data and breach of confidence were also pursued.
Ruling on the claims, the Court noted that any system that permits human access to data involves inevitable risks. The chain had internal checks in place and had taken appropriate steps to protect the data by limiting access to a few trusted employees. There was no way that the chain could have known of the IT specialist’s grudge and there had been no failure to provide adequate and proper controls. The chain had not been obliged to routinely monitor employees’ Internet access and its sole failing was that it did not have an organised, or failsafe, system in place for the deletion of data stored on individual workers’ computers.
The chain was nevertheless found indirectly – or vicariously – liable for the IT specialist’s criminal acts. It had deliberately entrusted him with its payroll data and he had been put in a position where he could handle it and disclose it to third parties. There was a sufficient connection between his job and his wrongful conduct to make it just for the chain to be held liable.
The Court’s ruling opened the way for the affected employees to seek compensation. However, in granting the chain permission to challenge its decision before the Court of Appeal, the Court noted that the chain was itself the primary target and victim of the embittered IT specialist’s actions. The result of the case could be viewed as the Court acting as an accessory in the furtherance of his criminal objectives.