The UK’s highest court recently ruled that supermarket group, Morrisons, was not liable for the criminal act of an employee with a grudge who leaked the payroll data of about 100,000 members of staff, says law firm ENSAfrica.
The firm noted that the case serves as an important reminder that it is possible for an employer to be held vicariously liable for a data breach caused by an employee, in the event that the data breach occurred in the course and scope of the employee’s work.
“The determination of whether an employer may be held liable for the acts or omissions of its employee will need to be determined in light of the facts in each case.
“This means that there is no general rule to avoid this risk, but there are some general guidelines that should be followed to mitigate it,” ENSAfrica said.
It added that the risk of an employee being the cause of a data breach is generally high. There are numerous statistics that show that the weakest link in a company’s cybersecurity is often employees and contractors.
With a large number of employees now working from home, this risk has increased, it said.
Below ENSAfrica set out a few tips on how to mitigate the risk of being held vicariously liable for a data breach caused by an employee:
Separate data sets
Companies retain data for a number of different purposes, it is important to ensure that these data sets are logically separated.
For example, your payroll data should not be mixed up with your marketing database.
If, in the Morrisons case, the payroll data provided to Mr Skelton also included the entire customer database, the potential liability would have been far more extensive.
Furthermore, ensuring logical separation of data sets makes that data more valuable to a company as it can be more efficiently processed for its purpose.
Ensure strict controls around data access and sharing
Policies must be implemented to ensure that employees are only granted access to data that is required for them to perform their functions.
In the Morrisons case, Mr Skelton had to first request the payroll data, he did not just have it saved on his computer. If data sets are readily accessible by any employee, the type of conduct in the Morrisons case would be more likely to occur, even if negligently.
Had the data been simply available to Mr Skelton, the data subjects would probably not have based their claims on vicarious liability, but rather on Morrisons’ failure to protect its data.
Provide clear instructions when data must be shared with employees for processing
When granting an employee access to data sets for specified purposes, be sure to specify those purposes (in writing) and keep a log of who was granted access, the purpose for that access and ensure that once that purpose has been fulfilled the data set is returned and no longer accessible to the employee.
On the facts of the Morissons case, the log of request proved that the employee had to first request access to the payroll data.
Furthermore, the instructions to Mr Skelton were clear and indicated that he had been granted access for a specified purpose only. This went a long way in proving that the disgruntled employee had ulterior motives which fell outside the scope of his duties.
Commentary by Era Gunning and Jessica Steele of ENS Africa.