In the recent UK case of WM Morrison Supermarkets plc v Various Claimants  EWCA Civ 2339 an employer was found legally liable after the personal and confidential data of thousands of its employees leaked online. What made this case particularly noteworthy was that the data was deliberately leaked by a disgruntled employee with the sole intention of causing harm to the employer. While our data protection laws are not yet as advanced as those in the UK, the Morrison case should be viewed as a serious wake up call for all employers when it comes to their responsibilities, risks and potential liabilities for data protection and security.
The Morrison Case
Mr. Skelton was employed with Morrison as a senior IT internal auditor. He had recently received a warning from the company for a disciplinary offence and, to put it mildly, was not happy with the company. As part of his job, Mr. Skelton had access to the payroll data for all of Morrison’s employees, including their names, addresses, salaries, national insurance numbers and bank account information. He copied that data onto a personal USB stick and took it home, where he then posted it on a file sharing website. Morrison discovered the data breach and took immediate steps to take the website down. However, significant damage had already been done. The employees whose data had been leaked were understandably concerned that it could be used for identity theft or to access their bank accounts. They brought a class action suit against Morrison for breach of the UK Data Protection Act (DPA), breach of confidence and misuse of private information. One of the main issues that the Court had to decide was whether Morrison should be held to be ‘vicariously’ liable for the actions of Mr. Skelton.
The Court found that Morrison was liable. There was a sufficient connection between Mr. Skelton’s position as senior IT internal auditor and his wrongful conduct. The fact that his intention was to cause deliberate harm to Morrison was irrelevant. As a ‘data controller’ within the meaning of the DPA, Morrison had a responsibility to take reasonable steps to ensure that they had adequate and appropriate technical and organisational measures in place to guard against unauthorised or unlawful disclosures of personal data. The Court found that Morrison failed in that it did not have an organised system for managing the deletion of data, i.e. the employee data which Mr. Skelton had downloaded for legitimate work purposes was never erased, allowing him to copy it unto his personal USB stick at a later date.
Morrison was recently given permission to appeal this decision at the UK Supreme Court, and it remains to be seen what the final outcome will be. Nevertheless, if the decision is upheld, it will have serious ramifications for all employers in the UK.
Takeaways for Employers
The Morrison case is not binding in T&T and our data protection laws are not on par with those in the UK. Whilst we have a Data Protection Act in T&T, only certain provisions of it are currently passed as law. Moreover, the Regulator provided for in the legislation to enforce the T&T DPA has not been established. As such, data protection rights for citizens exist primarily in principle.
However, that is unlikely to remain the case indefinitely. Sooner or later T&T will be forced to catch up with the rest of the world when it comes to data protection legislation. Until then, redress for data breaches may be achieved by other means, including actions for breach of confidence and misuse of private information.
Hence, it would be in all employers’ interests to create a culture change, by implementing in the workplace an approach based on privacy by design and default for the various processes and systems used. This would also make it easier to adapt when the time arrives to comply with the T&T DPA. Additionally, people are reportedly more trusting of a company, if they know that their data is not used in unauthorised ways and that reasonable steps are taken to prevent its theft or loss. Therefore, having protective measures could be a marketing tool to enhance a business’ goodwill.
- Implement (or increase) technical and organizational security measures to secure their data. Such measures include: encryption software, folder access control (e.g. access to certain persons only), data minimization (deleting data after a certain time, having backed it up in an offline location), physical security (e.g. vaults, gated premises, locked filing cabinets), privacy and IT security training for staff, amongst other things.
- Consider obtaining insurance against data breaches especially those caused by dishonest or malicious employees. This was one of the suggestions made by the Court in the Morrison case.
Disclaimer: This Document Provides General Guidance Only And Nothing In This Document Constitutes Legal Advice. Should You Require Specific Assistance, Please Contact Your Attorney-At-Law.