“Is an organisation responsible for an employee data breach?”
This question is rarely asked when people contact us for help and advice about a data protection compensation claim, but it can be a key one. Many people often assume that the organisation – i.e. the person’s employer – must be responsible; but that’s not always the case.
Data breach incidents are assessed on a case-by-case basis, but there can be scenarios where an employee’s data breach can leave the employer vicariously liable, meaning the organisation they work for is who you pursue. In fact, a recent landmark case has potentially made it easier to do this as well.
Traditionally, applying vicarious liability can come down to what the employer could have done to have prevented the data breach in the first place. If an employee commits a data breach because they have not been adequately trained, or because the organisation failed to have proper systems and protocols in place to prevent such breaches, an employer can be squarely liable. This is helpful for victims as you can then claim against the company, and it allowed victims of the 56 Dean Street clinic breach to pursue the NHS Trust given that an employee’s data breach was really, in our view, down to systemic failures.
But, what about malicious data breaches, or data breaches committed on pursue when an employee knew it would breach the rules?
Holding an employer liable when the employee has knowingly ignored the rules and / or maliciously committed an intentional data breach can be hard. Unless such behaviour could have been reasonably predicted and / or prevented, how can the employer have done anything else to have stopped the breach from happening?
This principle has applied for compensation claims for a long time, although the recent ruling in the Morrisons data breach case has left the supermarket giant liable for a data breach where an employee intentionally leaked the data of staff in revenge over a grievance he had with his (now former) employer. Although Morrisons pleaded that there was nothing they could have done to have prevented the breach, the court held that Morrisons should be liable for the employee’s actions given the employee was undertaking his usual duties when he maliciously leaked the data.
The key thing to know is that you should speak to us here at the Data Leak lawyers and we can assess any potential data breach case for you and give you advice, guidance and representation for cases we believe we can win. The new GDPR comes into force this month and it may make it even harder for organisations to evade liability for data breach claims as well, so never assume you don’t have a case.
Speak to us and we can see if we can help you, call our team for free from a landline or mobile on 0800 634 7575 today!