Data Breaches by Rogue Employees – UK Employer's "It wasn't me" Defence will not wash – and in Belgium …?


In its October 2018 landmark decision the UK Court of Appeal held supermarket Morrisons vicariously liable for the actions of a rogue employee who leaked and published the supermarket's payroll data (including bank details and salaries) online out of spite against his employer[1]. Whilst the perpetrator of the data leak was convicted in response to this unauthorised disclosure in 2015 and jailed for eight years, some of the victims of the leak (a group of some 5,518 employees) filed a class action suit against their employer seeking damages for the upset and distress caused.

In December 2017 the High Court ruled in favour of the group of employees, considering that their employer could be held vicariously liable for the unlawful acts, which it considered were committed in the course of the rogue IT auditor's employment. The matter of how much compensation the employees were owed was postponed pending the appeal filed by Morrisons. In its 23 October 2018 ruling the Court of Appeal rejected this appeal, considering that the Data Protection Act 1998 (the law in force at the time of the breach) does not exclude the possibility of vicarious liability of an employer for misuse of private information by an employee. In a public statement Morrisons reiterated that it should not have been held responsible for criminal actions of a former employee and promptly announced that it would appeal to the Supreme Court.

This case echoes an earlier decision whereby the Supreme Court held (coincidentally again) Morrisons liable for an act of violence committed by one of its employees against a customer. The fact that the employee misused his position and/or exceeded his authority did not preclude the employer's vicarious liability; the reason why the employer should be held responsible is precisely because he was the one who selected him and put him in that position (Mr AM Mohamud v WM Morrison Supermarket plc, 2 March 2016, UKSC 11 consideration 45). Whatever the motive of the employee may have been for his actions, obviously "personal racism rather than a desire to benefit his employer's business", it was deemed irrelevant by Lord Justice Toulson (cons. 48).

Under Belgian law, there is a legal basis for an employer's liability for acts committed by employees in the course of their employment, i.e. article 1384, § 3 of the Civil Code. If the act is committed during the service and has a connection, albeit indirectly or circumstantial, with the service the employee was hired for, the employer will be liable for acts committed by his employees. As these conditions are interpreted quite broadly, the mere fact that the employee was acting without the employer's authorisation would not suffice to exclude the employer's liability. Under similar circumstances as those that occurred in the Morrisons case, a Belgian employer could therefore also be held liable for data breaches committed by a rogue employee[2].

As of September 2014, Belgian consumers are allowed to seek collective redress via class actions for damages suffered on an individual level as a result of a common cause. Under Belgian law, these suits must be filed via "Test Achat/Test Aankoop", a not-for-profit organisation that defends the interests of consumers. In May 2018, the first class action was filed in Belgium in the wake of the Cambridge Analytica scandal on behalf of 19,500 consumers (currently already + 34,000), seeking moral damages of at least 200 EUR each for allegedly illegal use of their personal data by Facebook. Under the current state of the Belgian law, class actions can in principle only be filed by "consumers" – and therefore not by employees against their employer. However, in accordance with article 80 of the GDPR on representation of data subjects, the Belgian legislator has recently given data subjects the right to mandate certain not-for-profit associations or bodies active in the field of data protection to lodge complaints on his or her behalf, either with the judiciary or the administrative authorities, and thus exercise his or her rights under the Data Protection Act. From that perspective, nothing would prevent any data subject, employee or not, to lodge a complaint against the company that is liable for the data breach, even if this is the data subject's employer.  Indeed, the mere fact that the persons whose data were breached also happen to be employees of the company held responsible for this breach, would not preclude these individuals from filing a law suit as a group of data subjects. This question is likely to become more poignant as the impact of the GDPR – and the inevitable data leaks and breaches - will become more visible in the future.

In view of this increased liability risk, a prudent and well-informed employer would do well to seek to prevent data breaches by raising awareness and training employees on the importance of data protection compliance. However, as diligent as the employer may be or have been, this would not necessarily suffice to exclude his liability when things do go wrong. So what options are then left for the employer? In its defence, Morrisons referred to the important (financial) repercussions this precedent would set against companies for years to come. The Court of Appeal was not convinced and merely suggested that the solution would be to insure against data breaches caused by dishonest employees.

Or how one company's loss, can ultimately be another (insurance) company's gain …

[1] For an in-depth analysis of this decision, see B. HURST (October 2018) "Morrisons' Vicarious Liability for Data Breach Upheld";

[2] On the subject of Belgian employers' liability for data breaches: VAN OLMEN, C. & LAHAYE, C., "De aansprakelijkheid van de werkgever in het licht van zijn nieuwe verplichtingen onder de Algemene Verordening gegevensbescherming", in Data Protection & Privacy/Le GDPR dans la pratique/De GDPR in de praktijk, Arthemis, 2017, (119), 127, nr. 7.